Introduction
For those who could not attend, this year’s Black Hat
security conference did not disappoint.
It was an awesome time to collaborate and share with the security
community. In doing so, we open sourced a
new tool at Black Hat Arsenal at aimed at assisting Security Operations Centers (SOCs)
and digital first responders. We
affectionately call it: CyBot – Threat
Intelligence Chat Bot.
We understand that typical SOC environments face a number of
challenges:
- Many SOCs are overwhelmed with the number of incoming alerts
- Service Level Agreements (SLAs) often define a maximum time to investigate and contain an incident
- Security tools may be plentiful but they are often not centralized
- Collaboration on a large investigation may be challenging
We have even seen cases where the SOC receives so many alerts that all of
them may not be properly investigated.
To combat this, CyBot can be your threat intelligence chat bot
waiting to do research for you. For
example, instead of going to various websites or dashboards to perform research,
you could just ask CyBot simple questions and even share results with other
investigators. All from within one chat
window you can do the following and more:
·
Ask about the threat reputation of URLs and
hashes
·
Perform WHOIS, nslookup, and geoip lookups
·
Unshorten potentially malicious shortened URLs
·
Extract links from a potentially malicious
website
CyBot Menu |
Best of all, this capability is now free and being actively
developed. All documentation, slides,
and plugins have been made publicly available via github: https://github.com/CylanceSPEAR/CyBot.
Props
Very few tasks are ever accomplished in complete isolation. Tools, services, and ideas were combined from awesome places such as:
- Errbot developers for the fantastic tool and customer service
- VirusTotal
- geoip - freegeoip.net
- Google Safebrowsing - https://developers.google.com/safe-browsing/ and Jun C. Valdez Hashid - C0re
- Unshorten - unshorten.me
- Codename - https://mark.biek.org/code-name/ Black Hat Arsenal team for the amazing support and tool release venue
- Non-bots: Bill Hau, Corey White, Dennis Hanzlik, Ian Ahl, Dave Pany, Dan Dumond, Kyle Champlin, Kierian Evans, Andrew Callow, Mark Stevens
No comments:
Post a Comment