Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Your Own DFIR Sidekick: THREADS Edition

Scott J. Roberts
November 14, 2014
Technology
2
700

Building Your Own DFIR Sidekick: THREADS Edition

My latest (and final) Hubot for IR talk, given at the excellent NYUPoly CSAW THREADS 2014.

Scott J. Roberts

November 14, 2014
Tweet

More Decks by Scott J. Roberts

See All by Scott J. Roberts
Homemade Ramen & Threat Intelligence
sroberts
2
400
Introduction to Open Source Security Tools
sroberts
3
4.6k
Building Effective Threat Intelligence Sharing
sroberts
1
90
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
sroberts
0
79
Crisis Communication for Incident Response
sroberts
1
260
Hipster DFIR on OSX - BSidesCincy
sroberts
3
3k
Community Intelligence & Open Source Tools
sroberts
5
1k
Responding @ Scale: osquery for Mass Incident Response and Detection
sroberts
1
12k
Hipster DFIR on OSX
sroberts
2
910

Other Decks in Technology

See All in Technology
Failures and learnings during the adoption of DDD
mploed
0
240
Case Studies: Modern Development Practices In Highly Regulated Environments
charity
2
1.3k
ログから学ぶgo build
nasa_desu
3
430
○郎系ラーメンを注文したつりだったのにトールバニラノン ファットアドリストレットショットチョコレートソースエクス トラホイップコーヒージェリーアンドクリーミーバニラフラペ チーノが出てきた話 〜ミスコミュニケーションが起こした悲劇〜
hagevvashi
2
410
[関東Kaggler会 スポンサーセッション] LayerXの事業と機械学習でできること / kanto-kaggler-layerx
shimacos
0
610
Priorityを制するものはローディングを制す
edwardkenfox
4
340
SRE を実践するためのプラットフォームの作り方と技術マネジメント / Building a Platform for SRE
irotoris
0
3.4k
電動マイクロモビリティのシェアサービス「LUUP」におけるEnabling SLOの実践
grimoh
1
320
ChatGPTを前に頭が真っ白を乗り越え人が答えることが困難な認知負荷MAXなタフクエスチョンをどんどん回答させてプロダクト価値を爆速探求するぞ/cognitive_load_question_and_chatgpt
moriyuya
2
390
Customer-Centricity Unleashed: Transforming Businesses with LINE Tech
linedevth
1
190
230930_XP祭り_ビジネスへの越境を考える /230930_XP_Fest_Across_Your_Border_to_Business
mkwrd
PRO
0
390
30点で打席に立つ
konifar
56
34k

Featured

See All Featured
From Idea to $5000 a Month in 5 Months
shpigford
376
45k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
12
5.7k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.8k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
3.9k
Agile that works and the tools we love
rasmusluckow
323
20k
Navigating Team Friction
lara
177
12k
Build your cross-platform service in a week with App Engine
jlugia
223
17k
Designing the Hi-DPI Web
ddemaree
274
33k
BBQ
matthewcrist
76
8.4k
Building an army of robots
kneath
300
41k
Designing with Data
zakiwarfel
93
4.5k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.2k

Transcript

  1. Building Your Own
    DFIR Sidekick
    ChatOps for Incident Response

    View Slide

  2. I do incident response @ GitHub
    Hi, I’m Scott

    View Slide

  3. He Does Basically Everything
    @
    GitHub
    This is Hubot

    View Slide

  4. “making it easier to work together than
    to work alone….”

    View Slide

  5. ๏ CHatops & Incident Response
    ๏ Hubot Variable Threat Response
    ๏ Deploying & Developing Hubot

    View Slide

  6. A Brief
    Introduction to
    ChatOps

    View Slide

  7. What is ChatOps?!
    DevOps + Chat = Chatops
    Collaborative Terminal Experience

    View Slide

  8. So What Really is
    ChatOps?!

    View Slide

  9. View Slide

  10. View Slide

  11. Chat

    View Slide

  12. Chat

    View Slide

  13. View Slide

  14. Why Chatops
    anyway?

    View Slide

  15. Geographically
    distributed

    View Slide

  16. View Slide

  17. View Slide

  18. asynchronous

    View Slide

  19. multi device

    View Slide

  20. View Slide

  21. View Slide

  22. View Slide

  23. hides the “ugly”
    Or at least makes interfaces
    consistent

    View Slide

  24. “This was always my main motivation
    with Hubot - teaching by doing by
    making things visible.”
    -
    @Tomayko

    View Slide

  25. How GitHub Uses
    Chatops

    View Slide

  26. deploy
    &
    monitor servers
    via Puppet

    View Slide

  27. deploy
    &
    monitor Code
    via Capistrano & Jenkins CI

    View Slide

  28. Monitor Systems
    via Nagios

    View Slide

  29. View Slide

  30. View Slide

  31. Update our
    Status Site
    (Hopefully rarely)

    View Slide

  32. Lookup Funny
    pictures
    And Gifs Too!

    View Slide

  33. View Slide

  34. Shoutout to MattJay

    View Slide

  35. So what about
    DFIR?!
    Hint: We were already Doing It

    View Slide

  36. Managing our
    pager alerts
    via pagerduty

    View Slide

  37. Showing Process
    Lists on Hosts

    View Slide

  38. Changing
    firewall rules

    View Slide

  39. getting whois
    information

    View Slide

  40. getting app
    logs & stats
    via Splunk & Graphite

    View Slide

  41. View Slide

  42. “Swinging the
    BanHammer”

    View Slide

  43. Other “secret”
    stuff
    just come ask me if you’re curious

    View Slide

  44. “making it easier to work together than
    to work alone….”

    View Slide

  45. “making it easier to Respond to Incidents
    together than to Respond alone….”

    View Slide

  46. Hubot VTR

    View Slide

  47. Hubot
    ๏ node.js based Chat bot
    ๏ coffeeScript based actions
    ๏ deployable anywhere you can run
    node.js (Unix, Windows, Heroku, etc)

    View Slide

  48. ๏Disk Forensics
    ๏Network Forensics
    ๏Open Source Intelligence
    ๏Malware Analysis

    View Slide

  49. hubot-vtr
    modules for dfir

    View Slide

  50. Code name
    generator
    Because you can’t call it

    “That thing from January” forever

    View Slide

  51. Geolocating IPs
    But not for attribution...

    View Slide

  52. reverse dns
    lookups

    View Slide

  53. checking
    resource
    reputations
    mywot, Google, virustotal, & Opendns

    View Slide

  54. View Slide

  55. research links
    generator
    Robtext, CentralOps, Hurricane
    Electric…

    View Slide

  56. server profiling
    via shodan

    View Slide

  57. View Slide

  58. malware
    research
    via virustotal

    View Slide

  59. passive dns
    via virustotal

    View Slide

  60. detection
    generation
    via yara & Snort

    View Slide

  61. force multipler

    View Slide

  62. Deployment
    &
    Development

    View Slide

  63. Deployment
    Local
    Or
    Heroku

    View Slide

  64. 3 Components
    brain
    +
    Connector
    +
    Scripts

    View Slide

  65. Development
    CoffeeScript
    On
    NodeJs

    View Slide

  66. View Slide

  67. Docs Matter

    View Slide

  68. View Slide

  69. View Slide

  70. View Slide

  71. View Slide

  72. View Slide

  73. View Slide

  74. View Slide

  75. View Slide

  76. View Slide

  77. View Slide

  78. Hubot’s “Voice”

    View Slide

  79. In
    Conclusion…

    View Slide

  80. ChatOps can make incident
    response collaborative
    &
    Hubot VTR puts DFIR tools
    & tasks in chat

    View Slide

  81. Find Out More
    Hubot.GitHub.com
    &
    GitHub.com/sroberts/hubot-vtr-scripts

    View Slide

  82. Contact Me
    github & twitter: @sroberts
    sroberts.github.io

    View Slide

  83. Thanks!!!

    View Slide

  84. View Slide