Using Robots to Fight Bad Guys

May 14, 2014
intelligece ir devops

At the end of last year I was invited few places (CentralPA Open Source, BSidesDFW, & BayThreat) and gave a talk about some of the work I’ve done to adapt Hubot, GitHub’s friendly-ish chatbot, and GitHub’s Chat Ops workflow for DFIR. While it was great to get the ideas out there’s a lot to deploying, using, and customizing VTR. So this is my extended breakdown of ChatOps, Hubot, Hubot-VTR, and building modules in CoffeeScript.

My Presentation

Building Your Own DFIR Sidekick

How GitHub Uses Hubot: ChatOps

So DevOps in general and ChatOps specifically are massive topics unto themselves and I’m not sure I’m the right person to fully address them, so here’s my short version of each:

Both of these techniques take advantage of modern development tools for rapid tool creation and integration, tools like Puppet/Chef for automation, and a data driven approach where feelings, conventional wisdom, and “that’s just the way we do it” is replaced with collaboration and metrics.

Benefits of Chat

The idea is to make Hubot support security ops:

Setting Up Hubot VTR

Setting up Hubot is a simple task that’s best started by looking at the Hubot documentation itself. Go ahead, we’ll wait here.

Once you’ve got a basic Hubot setup you’ll want to install the VTR scripts with these directions. It should be pretty painless.

Using Hubot VTR

Code Name Generator

Generates code names for being spooky

hubot codename

Geolocate IP

Identify the physical location of an IP address

hubot geo 1.2.3.4  
hubot geo 1.2.3.4 maxmind 

MyWOT

Look up the reputation of a website

hubot mywot example.com

Pipl

Look up OSINT on a users email address

hubot pipl email example@example.com 

Generate links for Robtext, IP/URLVoid, etc

hubot reputation ip 1.2.3.4  
hubot reputation url example.com

Reverse DNS

Get the urls associated with an IP address

hubot reverse dns example.com

Shodan

Search engine for server strings.

hubot shodan foo

Short URL Expander

Take a shortened URL and find out where it redirects to.

hubot expand url example.com

VirusTotal

Hash, URLs, IP Addresses

hubot virustotal hash abcd1234  
hubot virustotal ip 1.2.3.4  
hubot virustotal ip example.com 

Yara

Generates template for creating Yara rules.

hubot yara-template

These all require addressing Hubot directly, either by using the bots given name or an alias. So for me that would be hubot shodan openssh or ! yara-template. Both your Hubots name and alias can be configured during setup.

Writing Hubot Scripts

Hubot scripts are written in CoffeeScript. CoffeeScript is basically a higher level language that compiles to JavaScript and is then interpreted by Node.js.

There are a few major parts of any Hubot script:

These are the simplest requirements, but of course there are many optional patterns as well. CoffeeScript tends to be fairly simple, so the best way to pick things up is usually just browsing through open source scripts.

My Setup

I currently run two separate Hubots with different adapters and environments:

Things to Build

Take a look at “The List”. There are endless possibilities, new modules, new integrations. My current goals revolve around Yara, including automating signature generation. That said make this what will help you, and pull requests are always welcome.

ChatOps Resources

Hubot & Hubot VTR

ChatOps & DevOps