Using Robots to Fight Bad Guys

Using Robots to Fight Bad Guys

Turning hubot into a DFIR sidekick...

Presented at BSidesDFW and updated for BayThreat 2013.

Ded29c7918dce50c65131df03c769004?s=128

Scott J. Roberts

December 06, 2013
Tweet

Transcript

  1. using robots to fight bad guys turning hubot into a

    dfir sidekick…
  2. scott j roberts dfir-er…? whiskey drinker star wars nerd !

    i do other things too…
  3. making it easier to work together than to work alone….

  4. None
  5. incident response is what happens after you get hacked

  6. core elements - open source intelligence - network forensics -

    system forensics - reverse engineering - penetration testing & vulnerability management
  7. tools & techniques - teams & organizations

  8. how works

  9. a little about GitHub - optimized for happiness - work

    when - where you want - reduce unnecessary processes - results - asynchronous - multidevice 1% 20% 49% 30% sf US world wanderers
  10. bro do you even chat? - GitHub lives in chat

    - async (searchable, read back, push notifications) - multi device (laptop, tablet, phone) - collaborative - so we built tools around it
  11. None
  12. a customizable, kegerator- powered life embetterment robot

  13. what is hubot? - node.js based chat bot - coffeescript

    based actions+ - redis based "brain"+ - chat via shell & campfire+ - deployable on unix, windows, & heroku+
  14. None
  15. connectors

  16. scripts built in scripts, community scripts, & your own scripts

  17. how GitHub uses hubot - deploy & monitor servers via

    puppet - deploy & monitor code via capistrano & jenkins ci - monitor systems via nagios - update GitHub's status site - manage ops pager alerts from pager duty - remember things about people - look up funny pictures
  18. None
  19. “ChatOps” - chatops is about a shared operations experience -

    hides the ugly - gives you mobile support everywhere
  20. –Jesse Newland “By placing tools in the conversation everyone is

    pairing all the time.”
  21. –Ryan Tomayko “This was always my main motivation with Hubot

    - teaching by doing by making things visible. It's an extremely powerful teaching technique.”
  22. None
  23. None
  24. None
  25. hubot vtr

  26. goal: adapt chatops for ir - automate common ir tasks

    - make it easier to collaborate with other incident responders for improved response and teaching - untie ir from a desk - learn some new technologies
  27. making it easier to respond to incidents together than alone…

  28. we already were - /firewall - manipulate host firewalls -

    /host-fw-port - manipulate the firewall on host - /nagios - interact with nagios - /pstree - show process tree on host - /puppet - manipulate a puppet agent - /whois - show info about an addr - /logs - get application logs from a given service - /twitter - posting to & monitoring twitter - secret stuff i can’t share but i promise is awesome…
  29. throwback - open source intelligence - network forensics - system

    forensics - reverse engineering - penetration testing
  30. hubot vtr - code name generator - pipl - yara

    - virustotal lookup (ip, url, hash) - geolocate ip address - my web of trust lookup - generate reputation links - reverse dns - shodan - short url expander
  31. community modules announce availability deadline http-info isup news pypi sms

  32. writing hubot scripts - coffeescript = javascript + python -

    tons of examples - documentation matters - pull requests welcomed
  33. None
  34. None
  35. None
  36. None
  37. None
  38. None
  39. None
  40. msg.random

  41. msg.random

  42. reverse dns

  43. geolocate ip

  44. rhodey - not everyone writes coffeescript & security types love

    python - creates a local REST api for building new VTR services - built using flask - mostly an example framework at the moment, but PRs are welcome
  45. why rhodey - some things are easier to write in

    python - take advantage of already available python libraries for incident response - allows local actions - gives control of networking & protects from third party snooping
  46. rhodey first cut

  47. None
  48. None
  49. None
  50. None
  51. None
  52. None
  53. None
  54. None
  55. None
  56. things to build - vtr helper library - “the list”

    - merging more pull requests (i hope!)
  57. –Doug McIlroy “This is the Unix philosophy: Write programs that

    do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface.”
  58. development - terminal based chat - built locally - run

    from the command line + in memory redis
  59. None
  60. dfir whiskey lounge - campfire based chat - built off

    a digital ocean vps - heroku (1 dyno) + redis to go brain - flint for osx & ios - we call him “Woodhouse”
  61. live demo… always a terrible idea

  62. takeaway - it’s better to respond together than alone -

    Hubot can help you automate, collaborate, mobilize, & beautify - coffeescript has a couple core patterns that make it easy to build new scripts
  63. bonus takeaway learn to Ship code

  64. links & errata - hubot - hubot vtr scripts &

    hubot vtr rhodey - chatops at github - jesse newland - programming butler: hubot scripts explained - code school: learn coffeescript
  65. shoutouts - @rtomayko & @jnewland ~ hubot & chatops creators

    - @technicalpickles ~ for dealing with my constant questions - @technoskald, @jcran, @mattjay, & other contributors - everyone who exposes json endpoints
  66. sroberts@github.com GitHub twitter { @sroberts