Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Building Your Own DFIR Sidekick: THREADS Edition
Scott J. Roberts
November 14, 2014
Technology
2
660
Building Your Own DFIR Sidekick: THREADS Edition
My latest (and final) Hubot for IR talk, given at the excellent NYUPoly CSAW THREADS 2014.
Scott J. Roberts
November 14, 2014
Tweet
Share
More Decks by Scott J. Roberts
See All by Scott J. Roberts
Homemade Ramen & Threat Intelligence
sroberts
2
320
Introduction to Open Source Security Tools
sroberts
3
4.4k
Building Effective Threat Intelligence Sharing
sroberts
1
77
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
sroberts
0
64
Crisis Communication for Incident Response
sroberts
1
220
Hipster DFIR on OSX - BSidesCincy
sroberts
3
2.9k
Community Intelligence & Open Source Tools
sroberts
5
950
Responding @ Scale: osquery for Mass Incident Response and Detection
sroberts
1
11k
Hipster DFIR on OSX
sroberts
2
840
Other Decks in Technology
See All in Technology
Power AutomateでのAdaptive Cards-基本編
miyakemito
1
210
データエンジニアリングの潮流を俯瞰する
tetsuroito
1
720
要約 "Add Live Text interaction to your app"
ushisantoasobu
0
130
雑な攻撃からELBを守る一工夫 +おまけ / Know-how to protect servers from miscellaneous attacks
hiroga
0
420
2022年度新卒技術研修「Docker」講義
excitejp
PRO
0
360
GeoLocationAnchor and MKTileOverlay
toyship
0
110
IoTLT88-NTKanazawa-laundry-dry
yukima0707
0
200
Implementing Kubernetes operators in Java with Micronaut - TechWeek Java Summit 2022
alvarosanchez
0
110
What's new in Vision
satotakeshi
0
150
ノーメンテナンス運用実現のためのノウハウ/ColoplTech-05-02
colopl
0
160
JFrog 最新情報 - JFrog DevOps プラットフォームの今までとこれから / jfrog-update-for-devopskaigi-2022
tsuyo
0
140
OpsJAWS Meetup21 システム運用アンチパターンのすすめ
yoshiiryo1
0
1.4k
Featured
See All Featured
The Power of CSS Pseudo Elements
geoffreycrofte
46
3.9k
What the flash - Photography Introduction
edds
61
10k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
196
9.4k
Side Projects
sachag
450
37k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
39
13k
Support Driven Design
roundedbygravity
86
8.5k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
15
940
Optimizing for Happiness
mojombo
365
63k
Stop Working from a Prison Cell
hatefulcrawdad
261
17k
Happy Clients
brianwarren
89
5.6k
The Invisible Side of Design
smashingmag
290
48k
Agile that works and the tools we love
rasmusluckow
319
19k
Transcript
Building Your Own DFIR Sidekick ChatOps for Incident Response
I do incident response @ GitHub Hi, I’m Scott
He Does Basically Everything @ GitHub This is Hubot
“making it easier to work together than to work alone….”
๏ CHatops & Incident Response ๏ Hubot Variable Threat Response
๏ Deploying & Developing Hubot
A Brief Introduction to ChatOps
What is ChatOps?! DevOps + Chat = Chatops Collaborative Terminal
Experience
So What Really is ChatOps?!
None
None
Chat
Chat
None
Why Chatops anyway?
Geographically distributed
None
None
asynchronous
multi device
None
None
None
hides the “ugly” Or at least makes interfaces consistent
“This was always my main motivation with Hubot - teaching
by doing by making things visible.” - @Tomayko
How GitHub Uses Chatops
deploy & monitor servers via Puppet
deploy & monitor Code via Capistrano & Jenkins CI
Monitor Systems via Nagios
None
None
Update our Status Site (Hopefully rarely)
Lookup Funny pictures And Gifs Too!
None
Shoutout to MattJay
So what about DFIR?! Hint: We were already Doing It
Managing our pager alerts via pagerduty
Showing Process Lists on Hosts
Changing firewall rules
getting whois information
getting app logs & stats via Splunk & Graphite
None
“Swinging the BanHammer”
Other “secret” stuff just come ask me if you’re curious
“making it easier to work together than to work alone….”
“making it easier to Respond to Incidents together than to
Respond alone….”
Hubot VTR
Hubot ๏ node.js based Chat bot ๏ coffeeScript based actions
๏ deployable anywhere you can run node.js (Unix, Windows, Heroku, etc)
๏Disk Forensics ๏Network Forensics ๏Open Source Intelligence ๏Malware Analysis
hubot-vtr modules for dfir
Code name generator Because you can’t call it “That thing
from January” forever
Geolocating IPs But not for attribution...
reverse dns lookups
checking resource reputations mywot, Google, virustotal, & Opendns
None
research links generator Robtext, CentralOps, Hurricane Electric…
server profiling via shodan
None
malware research via virustotal
passive dns via virustotal
detection generation via yara & Snort
force multipler
Deployment & Development
Deployment Local Or Heroku
3 Components brain + Connector + Scripts
Development CoffeeScript On NodeJs
None
Docs Matter
None
None
None
None
None
None
None
None
None
None
Hubot’s “Voice”
In Conclusion…
ChatOps can make incident response collaborative & Hubot VTR puts
DFIR tools & tasks in chat
Find Out More Hubot.GitHub.com & GitHub.com/sroberts/hubot-vtr-scripts
Contact Me github & twitter: @sroberts sroberts.github.io
Thanks!!!
None