Thursday, August 17, 2017

CyBot – Threat Intelligence Chat Bot

By Tony Lee

Introduction

For those who could not attend, this year’s Black Hat security conference did not disappoint.  It was an awesome time to collaborate and share with the security community.  In doing so, we open sourced a new tool at Black Hat Arsenal at aimed at assisting Security Operations Centers (SOCs) and digital first responders.  We affectionately call it:  CyBot – Threat Intelligence Chat Bot.


We understand that typical SOC environments face a number of challenges:
  • Many SOCs are overwhelmed with the number of incoming alerts
  • Service Level Agreements (SLAs) often define a maximum time to investigate and contain an incident
  • Security tools may be plentiful but they are often not centralized
  • Collaboration on a large investigation may be challenging

We have even seen cases where the SOC receives so many alerts that all of them may not be properly investigated.

To combat this, CyBot can be your threat intelligence chat bot waiting to do research for you.  For example, instead of going to various websites or dashboards to perform research, you could just ask CyBot simple questions and even share results with other investigators.  All from within one chat window you can do the following and more:
·         Ask about the threat reputation of URLs and hashes
·         Perform WHOIS, nslookup, and geoip lookups
·         Unshorten potentially malicious shortened URLs
·         Extract links from a potentially malicious website

CyBot Menu

Best of all, this capability is now free and being actively developed.  All documentation, slides, and plugins have been made publicly available via github:  https://github.com/CylanceSPEAR/CyBot.

Props

Very few tasks are ever accomplished in complete isolation.  Tools, services, and ideas were combined from awesome places such as:
  • Errbot developers for the fantastic tool and customer service
  • VirusTotal
  • geoip - freegeoip.net
  • Google Safebrowsing - https://developers.google.com/safe-browsing/ and Jun C. Valdez Hashid - C0re
  • Unshorten - unshorten.me
  • Codename - https://mark.biek.org/code-name/ Black Hat Arsenal team for the amazing support and tool release venue

  • Non-bots: Bill Hau, Corey White, Dennis Hanzlik, Ian Ahl, Dave Pany, Dan Dumond, Kyle Champlin, Kierian Evans, Andrew Callow, Mark Stevens
Posted by at
Labels: , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)