Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Building Your Own DFIR Sidekick: THREADS Edition
Search
Scott J. Roberts
November 14, 2014
Technology
2
810
Building Your Own DFIR Sidekick: THREADS Edition
My latest (and final) Hubot for IR talk, given at the excellent NYUPoly CSAW THREADS 2014.
Scott J. Roberts
November 14, 2014
Tweet
Share
More Decks by Scott J. Roberts
See All by Scott J. Roberts
Tortured Responders Dept - Scott & Rebekah's Edition
sroberts
0
94
Skynet the CTI Intern: Building Effective Machine Augmented Intelligence
sroberts
0
68
DRIVING INTELLIGENCE WITH MITRE ATT&CK: LEVERAGING LIMITED RESOURCES TO BUILD AN EVOLVING THREAT REPOSITORY
sroberts
0
34
Exploring Threat Intelligence: Insights and Tools from Vertex Synapse
sroberts
0
23
Homemade Ramen & Threat Intelligence
sroberts
2
500
Introduction to Open Source Security Tools
sroberts
3
4.8k
Building Effective Threat Intelligence Sharing
sroberts
1
120
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
sroberts
0
110
Crisis Communication for Incident Response
sroberts
1
320
Other Decks in Technology
See All in Technology
属人化したE2E自動テストを ひも解く
honamin09
1
110
DevOps視点でAWS re:invent2024の新サービス・アプデを振り返ってみた
oshanqq
0
110
AI時代のデータセンターネットワーク
lycorptech_jp
PRO
1
190
AWS re:Invent 2024登壇資料(GBL206-JA: Unleashing the power of generative AI on AWS for your business)
minorun365
PRO
7
250
Replit Agent
kawaguti
PRO
2
210
B10-ひと目でわかる(といいなぁ)Microsoft Purview
seafay
PRO
0
580
Connect × Server-Side Kotlinで実現する!スキーマ駆動開発と品質改善の実践
sansantech
PRO
1
150
最近のUplift Modeling手法にRでトライ
hskksk
0
190
Amazon Bedrock Knowledge BasesがGraphRAGに対応!! ・・・それってつまりどういうコト!? をチョット深堀ってみる
tokushun
0
140
イノベーショントークから見るクラウド運用の未来を振り返ってみた
nyankotaro
0
400
MySQL 8.0 から PostgreSQL 16 への移行と RLS 導入までの道のりと学び
baseballyama
0
1.2k
Nihonbashi Test Talk #3_WebDriver BiDiと最新の実装状況 / WebDriver BiDi latest status
takeyaqa
1
160
Featured
See All Featured
Into the Great Unknown - MozCon
thekraken
33
1.5k
Keith and Marios Guide to Fast Websites
keithpitt
410
22k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
27
2.1k
Automating Front-end Workflow
addyosmani
1366
200k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
A designer walks into a library…
pauljervisheath
204
24k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
A Philosophy of Restraint
colly
203
16k
The Pragmatic Product Professional
lauravandoore
32
6.3k
For a Future-Friendly Web
brad_frost
175
9.4k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Transcript
Building Your Own DFIR Sidekick ChatOps for Incident Response
I do incident response @ GitHub Hi, I’m Scott
He Does Basically Everything @ GitHub This is Hubot
“making it easier to work together than to work alone….”
๏ CHatops & Incident Response ๏ Hubot Variable Threat Response
๏ Deploying & Developing Hubot
A Brief Introduction to ChatOps
What is ChatOps?! DevOps + Chat = Chatops Collaborative Terminal
Experience
So What Really is ChatOps?!
None
None
Chat
Chat
None
Why Chatops anyway?
Geographically distributed
None
None
asynchronous
multi device
None
None
None
hides the “ugly” Or at least makes interfaces consistent
“This was always my main motivation with Hubot - teaching
by doing by making things visible.” - @Tomayko
How GitHub Uses Chatops
deploy & monitor servers via Puppet
deploy & monitor Code via Capistrano & Jenkins CI
Monitor Systems via Nagios
None
None
Update our Status Site (Hopefully rarely)
Lookup Funny pictures And Gifs Too!
None
Shoutout to MattJay
So what about DFIR?! Hint: We were already Doing It
Managing our pager alerts via pagerduty
Showing Process Lists on Hosts
Changing firewall rules
getting whois information
getting app logs & stats via Splunk & Graphite
None
“Swinging the BanHammer”
Other “secret” stuff just come ask me if you’re curious
“making it easier to work together than to work alone….”
“making it easier to Respond to Incidents together than to
Respond alone….”
Hubot VTR
Hubot ๏ node.js based Chat bot ๏ coffeeScript based actions
๏ deployable anywhere you can run node.js (Unix, Windows, Heroku, etc)
๏Disk Forensics ๏Network Forensics ๏Open Source Intelligence ๏Malware Analysis
hubot-vtr modules for dfir
Code name generator Because you can’t call it “That thing
from January” forever
Geolocating IPs But not for attribution...
reverse dns lookups
checking resource reputations mywot, Google, virustotal, & Opendns
None
research links generator Robtext, CentralOps, Hurricane Electric…
server profiling via shodan
None
malware research via virustotal
passive dns via virustotal
detection generation via yara & Snort
force multipler
Deployment & Development
Deployment Local Or Heroku
3 Components brain + Connector + Scripts
Development CoffeeScript On NodeJs
None
Docs Matter
None
None
None
None
None
None
None
None
None
None
Hubot’s “Voice”
In Conclusion…
ChatOps can make incident response collaborative & Hubot VTR puts
DFIR tools & tasks in chat
Find Out More Hubot.GitHub.com & GitHub.com/sroberts/hubot-vtr-scripts
Contact Me github & twitter: @sroberts sroberts.github.io
Thanks!!!
None