Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Your Own DFIR Sidekick: THREADS Edition

Ded29c7918dce50c65131df03c769004?s=47 Scott J. Roberts
November 14, 2014
Technology
2
660

Building Your Own DFIR Sidekick: THREADS Edition

My latest (and final) Hubot for IR talk, given at the excellent NYUPoly CSAW THREADS 2014.

Ded29c7918dce50c65131df03c769004?s=128

Scott J. Roberts

November 14, 2014
Tweet

More Decks by Scott J. Roberts

See All by Scott J. Roberts
Homemade Ramen & Threat Intelligence
Ded29c7918dce50c65131df03c769004?s=48 sroberts
2
320
Introduction to Open Source Security Tools
Ded29c7918dce50c65131df03c769004?s=48 sroberts
3
4.4k
Building Effective Threat Intelligence Sharing
Ded29c7918dce50c65131df03c769004?s=48 sroberts
1
77
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
Ded29c7918dce50c65131df03c769004?s=48 sroberts
0
64
Crisis Communication for Incident Response
Ded29c7918dce50c65131df03c769004?s=48 sroberts
1
220
Hipster DFIR on OSX - BSidesCincy
Ded29c7918dce50c65131df03c769004?s=48 sroberts
3
2.9k
Community Intelligence & Open Source Tools
Ded29c7918dce50c65131df03c769004?s=48 sroberts
5
950
Responding @ Scale: osquery for Mass Incident Response and Detection
Ded29c7918dce50c65131df03c769004?s=48 sroberts
1
11k
Hipster DFIR on OSX
Ded29c7918dce50c65131df03c769004?s=48 sroberts
2
840

Other Decks in Technology

See All in Technology
Power AutomateでのAdaptive Cards-基本編
C0c0e8e4d7f83912cb1b1a0699df82a5?s=48 miyakemito
1
210
データエンジニアリングの潮流を俯瞰する
Cb7edd153cf503f44c727b73647558bf?s=48 tetsuroito
1
720
要約 "Add Live Text interaction to your app"
9e64d2069945742c818421e884603b44?s=48 ushisantoasobu
0
130
雑な攻撃からELBを守る一工夫 +おまけ / Know-how to protect servers from miscellaneous attacks
8e8410eb785755ae2cb485f85dbab6e8?s=48 hiroga
0
420
2022年度新卒技術研修「Docker」講義
094e424062f60b011a0d0b294fbc17e4?s=48 excitejp
PRO
0
360
GeoLocationAnchor and MKTileOverlay
61a68b2172503ecdf7a7f7757df56071?s=48 toyship
0
110
IoTLT88-NTKanazawa-laundry-dry
4256c3dc4c4b6933bb2ffb4176a595a0?s=48 yukima0707
0
200
Implementing Kubernetes operators in Java with Micronaut - TechWeek Java Summit 2022
6ff7b4622483547899dd09918d83732e?s=48 alvarosanchez
0
110
What's new in Vision
53e2d354b3299d64a54af680865516d5?s=48 satotakeshi
0
150
ノーメンテナンス運用実現のためのノウハウ/ColoplTech-05-02
E704514df1d69d511c4c74771a40c8f5?s=48 colopl
0
160
JFrog 最新情報 - JFrog DevOps プラットフォームの今までとこれから / jfrog-update-for-devopskaigi-2022
567600e04dbcb14d6bd8f120e6625a27?s=48 tsuyo
0
140
OpsJAWS Meetup21 システム運用アンチパターンのすすめ
96c31fe94f5e9b0eef4a606eaadcbc04?s=48 yoshiiryo1
0
1.4k

Featured

See All Featured
The Power of CSS Pseudo Elements
5b6a2bd86ef643786a381a212e0ef2f1?s=48 geoffreycrofte
46
3.9k
What the flash - Photography Introduction
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
61
10k
Art Directing for the Web. Five minutes with CSS Template Areas
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
196
9.4k
Side Projects
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
450
37k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
88f4e84b94fe07cddbd9e6479d689192?s=48 soudai
39
13k
Support Driven Design
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
86
8.5k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
15
940
Optimizing for Happiness
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
365
63k
Stop Working from a Prison Cell
C1daf20e5c49ff910745198ef9869ac2?s=48 hatefulcrawdad
261
17k
Happy Clients
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
89
5.6k
The Invisible Side of Design
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
290
48k
Agile that works and the tools we love
462dad0dd24c568a32dcdb0ae895ae1b?s=48 rasmusluckow
319
19k

Transcript

  1. Building Your Own DFIR Sidekick ChatOps for Incident Response

  2. I do incident response @ GitHub Hi, I’m Scott

  3. He Does Basically Everything @ GitHub This is Hubot

  4. “making it easier to work together than to work alone….”

  5. ๏ CHatops & Incident Response ๏ Hubot Variable Threat Response

    ๏ Deploying & Developing Hubot

  6. A Brief Introduction to ChatOps

  7. What is ChatOps?! DevOps + Chat = Chatops Collaborative Terminal

    Experience

  8. So What Really is ChatOps?!

  9. None
  10. None

  11. Chat

  12. Chat

  13. None

  14. Why Chatops anyway?

  15. Geographically distributed

  16. None
  17. None

  18. asynchronous

  19. multi device

  20. None
  21. None
  22. None

  23. hides the “ugly” Or at least makes interfaces consistent

  24. “This was always my main motivation with Hubot - teaching

    by doing by making things visible.” - @Tomayko

  25. How GitHub Uses Chatops

  26. deploy & monitor servers via Puppet

  27. deploy & monitor Code via Capistrano & Jenkins CI

  28. Monitor Systems via Nagios

  29. None
  30. None

  31. Update our Status Site (Hopefully rarely)

  32. Lookup Funny pictures And Gifs Too!

  33. None

  34. Shoutout to MattJay

  35. So what about DFIR?! Hint: We were already Doing It

  36. Managing our pager alerts via pagerduty

  37. Showing Process Lists on Hosts

  38. Changing firewall rules

  39. getting whois information

  40. getting app logs & stats via Splunk & Graphite

  41. None

  42. “Swinging the BanHammer”

  43. Other “secret” stuff just come ask me if you’re curious

  44. “making it easier to work together than to work alone….”

  45. “making it easier to Respond to Incidents together than to

    Respond alone….”

  46. Hubot VTR

  47. Hubot ๏ node.js based Chat bot ๏ coffeeScript based actions

    ๏ deployable anywhere you can run node.js (Unix, Windows, Heroku, etc)

  48. ๏Disk Forensics ๏Network Forensics ๏Open Source Intelligence ๏Malware Analysis

  49. hubot-vtr modules for dfir

  50. Code name generator Because you can’t call it
 “That thing

    from January” forever

  51. Geolocating IPs But not for attribution...

  52. reverse dns lookups

  53. checking resource reputations mywot, Google, virustotal, & Opendns

  54. None

  55. research links generator Robtext, CentralOps, Hurricane Electric…

  56. server profiling via shodan

  57. None

  58. malware research via virustotal

  59. passive dns via virustotal

  60. detection generation via yara & Snort

  61. force multipler

  62. Deployment & Development

  63. Deployment Local Or Heroku

  64. 3 Components brain + Connector + Scripts

  65. Development CoffeeScript On NodeJs

  66. None

  67. Docs Matter

  68. None
  69. None
  70. None
  71. None
  72. None
  73. None
  74. None
  75. None
  76. None
  77. None

  78. Hubot’s “Voice”

  79. In Conclusion…

  80. ChatOps can make incident response collaborative & Hubot VTR puts

    DFIR tools & tasks in chat

  81. Find Out More Hubot.GitHub.com & GitHub.com/sroberts/hubot-vtr-scripts

  82. Contact Me github & twitter: @sroberts sroberts.github.io

  83. Thanks!!!

  84. None