Save 37% off PRO during our Black Friday Sale! »

Building Your Own DFIR Sidekick: THREADS Edition

Ded29c7918dce50c65131df03c769004?s=47 Scott J. Roberts
November 14, 2014
Technology
2
640

Building Your Own DFIR Sidekick: THREADS Edition

My latest (and final) Hubot for IR talk, given at the excellent NYUPoly CSAW THREADS 2014.

Ded29c7918dce50c65131df03c769004?s=128

Scott J. Roberts

November 14, 2014
Tweet

More Decks by Scott J. Roberts

See All by Scott J. Roberts
Ded29c7918dce50c65131df03c769004?s=48 sroberts
2
270
Ded29c7918dce50c65131df03c769004?s=48 sroberts
3
4.2k
Ded29c7918dce50c65131df03c769004?s=48 sroberts
1
73
Ded29c7918dce50c65131df03c769004?s=48 sroberts
0
60
Ded29c7918dce50c65131df03c769004?s=48 sroberts
1
200
Ded29c7918dce50c65131df03c769004?s=48 sroberts
3
2.7k
Ded29c7918dce50c65131df03c769004?s=48 sroberts
5
900
Ded29c7918dce50c65131df03c769004?s=48 sroberts
1
11k
Ded29c7918dce50c65131df03c769004?s=48 sroberts
2
800

Other Decks in Technology

See All in Technology
7a29c02251394fc05ebd88c631c562dc?s=48 takufujii
0
170
4a545656ecacd1cde3548bf3e1b66f07?s=48 seputaratote
0
11k
3499a1d71fa70b8ee44816ca9e7329fe?s=48 bells17
0
250
140494d272a4d89883a94fdfdb29dea2?s=48 oracle4engineer
PRO
0
100
79c2f7db29ee6df3e1ceb85c6a0126d3?s=48 moriwaka
0
160
5dbaf4015e7f249ab21b195ced8e9e46?s=48 masatoshitada
1
170
A13fd21165bce344d35fd1d1245e14f2?s=48 aachan5550
0
350
23f4d5d797a91b6d17d627b90b5a42d9?s=48 kentaro
0
510
847a328633b1df6b11cc2f72430025e6?s=48 ks91
PRO
0
140
932329c79bc511fdfed22abbd5ec92d2?s=48 rnakamuramartiny
0
1.1k
3e77f9dbec6a87756d1dbdddab283aee?s=48 nulabinc
PRO
1
190
590fe37e032309f0f2657135085e395d?s=48 kmotohas
0
390

Featured

See All Featured
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
449
36k
5f83ef806155b403c3393160ce51f955?s=48 jlugia
218
16k
7c8469ee8c9e594c65c59b919626c08d?s=48 scottboms
253
11k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
270
17k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
56
5.7k
864a009ac73600c7c02e1f26629dd989?s=48 paigeccino
7
420
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
208
20k
5b6a2bd86ef643786a381a212e0ef2f1?s=48 geoffreycrofte
44
3.5k
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
177
8.2k
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
57
9.6k
0438ae60cde4c7add6f9da48f28c15cc?s=48 chrisshort
6
28k
D8fc2580cfaca035f666d9e4ee79a7f7?s=48 mongodb
25
4.2k

Transcript

  1. Building Your Own DFIR Sidekick ChatOps for Incident Response

  2. I do incident response @ GitHub Hi, I’m Scott

  3. He Does Basically Everything @ GitHub This is Hubot

  4. “making it easier to work together than to work alone….”

  5. ๏ CHatops & Incident Response ๏ Hubot Variable Threat Response

    ๏ Deploying & Developing Hubot

  6. A Brief Introduction to ChatOps

  7. What is ChatOps?! DevOps + Chat = Chatops Collaborative Terminal

    Experience

  8. So What Really is ChatOps?!

  9. None
  10. None

  11. Chat

  12. Chat

  13. None

  14. Why Chatops anyway?

  15. Geographically distributed

  16. None
  17. None

  18. asynchronous

  19. multi device

  20. None
  21. None
  22. None

  23. hides the “ugly” Or at least makes interfaces consistent

  24. “This was always my main motivation with Hubot - teaching

    by doing by making things visible.” - @Tomayko

  25. How GitHub Uses Chatops

  26. deploy & monitor servers via Puppet

  27. deploy & monitor Code via Capistrano & Jenkins CI

  28. Monitor Systems via Nagios

  29. None
  30. None

  31. Update our Status Site (Hopefully rarely)

  32. Lookup Funny pictures And Gifs Too!

  33. None

  34. Shoutout to MattJay

  35. So what about DFIR?! Hint: We were already Doing It

  36. Managing our pager alerts via pagerduty

  37. Showing Process Lists on Hosts

  38. Changing firewall rules

  39. getting whois information

  40. getting app logs & stats via Splunk & Graphite

  41. None

  42. “Swinging the BanHammer”

  43. Other “secret” stuff just come ask me if you’re curious

  44. “making it easier to work together than to work alone….”

  45. “making it easier to Respond to Incidents together than to

    Respond alone….”

  46. Hubot VTR

  47. Hubot ๏ node.js based Chat bot ๏ coffeeScript based actions

    ๏ deployable anywhere you can run node.js (Unix, Windows, Heroku, etc)

  48. ๏Disk Forensics ๏Network Forensics ๏Open Source Intelligence ๏Malware Analysis

  49. hubot-vtr modules for dfir

  50. Code name generator Because you can’t call it
 “That thing

    from January” forever

  51. Geolocating IPs But not for attribution...

  52. reverse dns lookups

  53. checking resource reputations mywot, Google, virustotal, & Opendns

  54. None

  55. research links generator Robtext, CentralOps, Hurricane Electric…

  56. server profiling via shodan

  57. None

  58. malware research via virustotal

  59. passive dns via virustotal

  60. detection generation via yara & Snort

  61. force multipler

  62. Deployment & Development

  63. Deployment Local Or Heroku

  64. 3 Components brain + Connector + Scripts

  65. Development CoffeeScript On NodeJs

  66. None

  67. Docs Matter

  68. None
  69. None
  70. None
  71. None
  72. None
  73. None
  74. None
  75. None
  76. None
  77. None

  78. Hubot’s “Voice”

  79. In Conclusion…

  80. ChatOps can make incident response collaborative & Hubot VTR puts

    DFIR tools & tasks in chat

  81. Find Out More Hubot.GitHub.com & GitHub.com/sroberts/hubot-vtr-scripts

  82. Contact Me github & twitter: @sroberts sroberts.github.io

  83. Thanks!!!

  84. None