Using Robots to Fight Bad Guys

Transcript

1. using robots to fight bad guys turning hubot into a

   dfir sidekick…

2. scott j roberts dfir-er…? whiskey drinker star wars nerd !

   i do other things too…

3. making it easier to work together than to work alone….

4. None

5. incident response is what happens after you get hacked

6. core elements - open source intelligence - network forensics -

   system forensics - reverse engineering - penetration testing & vulnerability management

7. tools & techniques - teams & organizations

8. how works

9. a little about GitHub - optimized for happiness - work

   when - where you want - reduce unnecessary processes - results - asynchronous - multidevice 1% 20% 49% 30% sf US world wanderers

10. bro do you even chat? - GitHub lives in chat

    - async (searchable, read back, push notifications) - multi device (laptop, tablet, phone) - collaborative - so we built tools around it
11. None

12. a customizable, kegerator- powered life embetterment robot

13. what is hubot? - node.js based chat bot - coffeescript

    based actions+ - redis based "brain"+ - chat via shell & campfire+ - deployable on unix, windows, & heroku+
14. None

15. connectors

16. scripts built in scripts, community scripts, & your own scripts

17. how GitHub uses hubot - deploy & monitor servers via

    puppet - deploy & monitor code via capistrano & jenkins ci - monitor systems via nagios - update GitHub's status site - manage ops pager alerts from pager duty - remember things about people - look up funny pictures
18. None

19. “ChatOps” - chatops is about a shared operations experience -

    hides the ugly - gives you mobile support everywhere

20. –Jesse Newland “By placing tools in the conversation everyone is

    pairing all the time.”

21. –Ryan Tomayko “This was always my main motivation with Hubot

    - teaching by doing by making things visible. It's an extremely powerful teaching technique.”
22. None
23. None
24. None

25. hubot vtr

26. goal: adapt chatops for ir - automate common ir tasks

    - make it easier to collaborate with other incident responders for improved response and teaching - untie ir from a desk - learn some new technologies

27. making it easier to respond to incidents together than alone…

28. we already were - /firewall - manipulate host firewalls -

    /host-fw-port - manipulate the firewall on host - /nagios - interact with nagios - /pstree - show process tree on host - /puppet - manipulate a puppet agent - /whois - show info about an addr - /logs - get application logs from a given service - /twitter - posting to & monitoring twitter - secret stuff i can’t share but i promise is awesome…

29. throwback - open source intelligence - network forensics - system

    forensics - reverse engineering - penetration testing

30. hubot vtr - code name generator - pipl - yara

    - virustotal lookup (ip, url, hash) - geolocate ip address - my web of trust lookup - generate reputation links - reverse dns - shodan - short url expander

31. community modules announce availability deadline http-info isup news pypi sms

32. writing hubot scripts - coffeescript = javascript + python -

    tons of examples - documentation matters - pull requests welcomed
33. None
34. None
35. None
36. None
37. None
38. None
39. None

40. msg.random

41. msg.random

42. reverse dns

43. geolocate ip

44. rhodey - not everyone writes coffeescript & security types love

    python - creates a local REST api for building new VTR services - built using flask - mostly an example framework at the moment, but PRs are welcome

45. why rhodey - some things are easier to write in

    python - take advantage of already available python libraries for incident response - allows local actions - gives control of networking & protects from third party snooping

46. rhodey first cut

47. None
48. None
49. None
50. None
51. None
52. None
53. None
54. None
55. None

56. things to build - vtr helper library - “the list”

    - merging more pull requests (i hope!)

57. –Doug McIlroy “This is the Unix philosophy: Write programs that

    do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface.”

58. development - terminal based chat - built locally - run

    from the command line + in memory redis
59. None

60. dfir whiskey lounge - campfire based chat - built off

    a digital ocean vps - heroku (1 dyno) + redis to go brain - flint for osx & ios - we call him “Woodhouse”

61. live demo… always a terrible idea

62. takeaway - it’s better to respond together than alone -

    Hubot can help you automate, collaborate, mobilize, & beautify - coffeescript has a couple core patterns that make it easy to build new scripts

63. bonus takeaway learn to Ship code

64. links & errata - hubot - hubot vtr scripts &

    hubot vtr rhodey - chatops at github - jesse newland - programming butler: hubot scripts explained - code school: learn coffeescript

65. shoutouts - @rtomayko & @jnewland ~ hubot & chatops creators

    - @technicalpickles ~ for dealing with my constant questions - @technoskald, @jcran, @mattjay, & other contributors - everyone who exposes json endpoints

66. [email protected] GitHub twitter { @sroberts