Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Building Your Own DFIR Sidekick: THREADS Edition
Scott J. Roberts
November 14, 2014
Technology
2
690
Building Your Own DFIR Sidekick: THREADS Edition
My latest (and final) Hubot for IR talk, given at the excellent NYUPoly CSAW THREADS 2014.
Scott J. Roberts
November 14, 2014
Tweet
Share
More Decks by Scott J. Roberts
See All by Scott J. Roberts
Homemade Ramen & Threat Intelligence
sroberts
2
370
Introduction to Open Source Security Tools
sroberts
3
4.5k
Building Effective Threat Intelligence Sharing
sroberts
1
88
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
sroberts
0
71
Crisis Communication for Incident Response
sroberts
1
240
Hipster DFIR on OSX - BSidesCincy
sroberts
3
2.9k
Community Intelligence & Open Source Tools
sroberts
5
1k
Responding @ Scale: osquery for Mass Incident Response and Detection
sroberts
1
12k
Hipster DFIR on OSX
sroberts
2
880
Other Decks in Technology
See All in Technology
SmartHRからOktaへのSCIM連携で作り出すHRドリブンのアカウント管理
jousysmiler
1
120
NGINXENG JP#2 - 3-NGINX Plus・プロダクトのアップデート
hiropo20
0
250
re:Inventの完全招待制イベント Building a Roadmap to SaaSについて / Building a Roadmap to SaaS an invitation only event at reinvent
yayoi_dd
0
160
SSMパラメーターストアでクロススタック参照の罠を回避する
shuyakinjo
0
8k
CUEとKubernetesカスタムオペレータを用いた新しいネットワークコントローラをつくってみた
hrk091
1
300
OCI DevOps 概要 / OCI DevOps overview
oracle4engineer
PRO
0
510
IoTを始めたきっかけの話と個人でできるIoTの今後 / 新年LT会「私の愛するIoT 2023」
you
0
250
Deep dive in Reserved Instance ~脳死推奨量購入からの脱却~
kzkmaeda
0
550
ユーザーテストガイドライン VERSION 2.0
kouzoukaikaku
0
1.6k
OVN-Kubernetes-Introduction-ja-2023-01-27.pdf
orimanabu
1
460
OpenShift.Run2023_create-aro-with-terraform
ishiitaiki20fixer
1
360
開発者と協働できるメトリクスダッシュボードを作ろう!/SRE Lounge 2023
lmi
3
630
Featured
See All Featured
Building Flexible Design Systems
yeseniaperezcruz
314
35k
Producing Creativity
orderedlist
PRO
335
38k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
31
20k
Designing for Performance
lara
600
65k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
128
8.8k
Imperfection Machines: The Place of Print at Facebook
scottboms
254
12k
Web Components: a chance to create the future
zenorocha
304
40k
BBQ
matthewcrist
75
8.1k
Docker and Python
trallard
30
1.9k
Rebuilding a faster, lazier Slack
samanthasiow
69
7.6k
The Cult of Friendly URLs
andyhume
69
5.1k
Build The Right Thing And Hit Your Dates
maggiecrowley
22
1.4k
Transcript
Building Your Own DFIR Sidekick ChatOps for Incident Response
I do incident response @ GitHub Hi, I’m Scott
He Does Basically Everything @ GitHub This is Hubot
“making it easier to work together than to work alone….”
๏ CHatops & Incident Response ๏ Hubot Variable Threat Response
๏ Deploying & Developing Hubot
A Brief Introduction to ChatOps
What is ChatOps?! DevOps + Chat = Chatops Collaborative Terminal
Experience
So What Really is ChatOps?!
None
None
Chat
Chat
None
Why Chatops anyway?
Geographically distributed
None
None
asynchronous
multi device
None
None
None
hides the “ugly” Or at least makes interfaces consistent
“This was always my main motivation with Hubot - teaching
by doing by making things visible.” - @Tomayko
How GitHub Uses Chatops
deploy & monitor servers via Puppet
deploy & monitor Code via Capistrano & Jenkins CI
Monitor Systems via Nagios
None
None
Update our Status Site (Hopefully rarely)
Lookup Funny pictures And Gifs Too!
None
Shoutout to MattJay
So what about DFIR?! Hint: We were already Doing It
Managing our pager alerts via pagerduty
Showing Process Lists on Hosts
Changing firewall rules
getting whois information
getting app logs & stats via Splunk & Graphite
None
“Swinging the BanHammer”
Other “secret” stuff just come ask me if you’re curious
“making it easier to work together than to work alone….”
“making it easier to Respond to Incidents together than to
Respond alone….”
Hubot VTR
Hubot ๏ node.js based Chat bot ๏ coffeeScript based actions
๏ deployable anywhere you can run node.js (Unix, Windows, Heroku, etc)
๏Disk Forensics ๏Network Forensics ๏Open Source Intelligence ๏Malware Analysis
hubot-vtr modules for dfir
Code name generator Because you can’t call it “That thing
from January” forever
Geolocating IPs But not for attribution...
reverse dns lookups
checking resource reputations mywot, Google, virustotal, & Opendns
None
research links generator Robtext, CentralOps, Hurricane Electric…
server profiling via shodan
None
malware research via virustotal
passive dns via virustotal
detection generation via yara & Snort
force multipler
Deployment & Development
Deployment Local Or Heroku
3 Components brain + Connector + Scripts
Development CoffeeScript On NodeJs
None
Docs Matter
None
None
None
None
None
None
None
None
None
None
Hubot’s “Voice”
In Conclusion…
ChatOps can make incident response collaborative & Hubot VTR puts
DFIR tools & tasks in chat
Find Out More Hubot.GitHub.com & GitHub.com/sroberts/hubot-vtr-scripts
Contact Me github & twitter: @sroberts sroberts.github.io
Thanks!!!
None