 Thanks for waiting everybody. First off, really quick, this is a non-important warning. If you're an expert, just leave. Seriously, you're not going to offend me, don't, you know, stay here. I'm basically what I want to talk about is data forensics, answer your response and open source tools, or excuse me, open source intelligence tools. And if you saw Rhett's talk, go eat and bring me some beer or cider or something because I'm pretty nervous standing up here right now. And if you're a noob and you know it, clap your hands. So as I said, this talks about DFI or Automation Orchestration Tools for open source intelligence and reconnaissance. And since Jay Haddix had the slide of basically doing OSN like a boss or something like that, I had to switch my slide. Didn't know that he actually had that, so I switched it to collecting evidence like a robot. A typical disclaimer, opinions are mine or borrowed and may not represent my employer. They're really just concepts and opinions and nothing more, I'm not a lawyer. Who am I? Okay, so, my name is Tyler Roarbaugh. I have 14 years in cyber, yes, you know, I said cyber. Primarily my work's been in vendors, consulting and contracting. And I've tried stuff in a variety of different areas, but I'm not an expert in anything at all. Okay, so that's why I said, if you're a noob, this is great for you. Because I'm definitely a noob. This is also my first talk, so. Okay, so if you guys have been any of the other talk for OSN, there's a lot of tools that exist. There's Datasploit and Tree.io, which was talked about, NetGlob, ReconNG, Palantir, which is a very big one, but it's very expensive, Maltigo, Hunchly, which I think is pretty new. And there's a really cool website called Awesome OSN on GitHub. If you haven't already seen it, it's pretty useful. It's got a lot of information. And then from that standpoint, you can just keep going and going and going. And part of this talk, though, is actually about that, is that from what I've seen about a lot of OSN gathering, you either have pen testing, or like human ant, or open source intelligence gathering for people and things like that. And the thing is, is that some of it there's a process, and some of it there's not. I've seen a lot of different talks. I've seen a lot of different people over the years talk about things. And I'm really interested in feedback around a process. What I mean is not just a manual step process, but it is it possible to basically break this down into a playbook or be able to do something where you can do this in a step by step process that can be automated to some degree. And I'm not talking like use tool one, two, tool two, three, two, four, et cetera. I'm talking be able to automate it and then basically break up in pieces where you can't actually automate it. So who in here knows much about data forensics? Anybody? Cool. OK, so the reason why you want to use data forensics instant response tactics for open source intelligence is it allows you to understand and reduce your attack service. You can gain awareness of threat actors, and you can enhance your answer response investigations. Now, are you doing this today? Just wondering. OK, so that's what I said, experts. Just go ahead and bounce out. Or you can just use it for fun. And everybody's seen this. Everybody's probably done this stuff. But in my case, it was like getting another CEO. And everybody's seen this kind of information. That's actually my CEO for the company I work for. And at very last minute, I was told that not to basically put his information out there, which is understandable. And a lot of other targets that I went to go after said the same thing. So the next thing is something that's kind of interesting to me, and I don't know how many of you think about this. But when it comes to pentestines, one thing, you go out and you start basically gathering reconnaissance, you start gathering intel around a particular target. And then after that, you start determining what kind of information you can use to exploit, et cetera, et cetera. But for me, the question is, if you're in OSN land and you started gathering information about an individual and they were your friend or something like that, could you automate a way to respond to them and help them out? And that may sound kind of weird. But what I mean by that is to be able to say, hey, there's some information out there on you. You might want to check that out and basically do that in a way that allows them to kind of improve themselves or whatever, right? So for me, I want to just point up a quick thing. I want to compare the differences between attacking, response, and OSN. So how many of you are basically do pentesting? OK, I've got a handful of you. How many of you are new to all of this? OK, cool. All right, next slide. How many of you answered a response? You're pretty much the only person to raise your hand for that part. So you'll obviously rip a hole through this next slide. But basically, I kind of looked at it from a lot of different places. I studied CEH, I studied a bunch of different things. And I wanted to put this into a process that kind of made sense that also seems that everybody breaks it down into. And so basically from an attacking side, you have planning and reconnaissance, threat modeling and vulnerability analysis, exploitation, and then you process that information. You start to do lateral movement within a network, et cetera, et cetera, et cetera. You persist, and then you report. Now, any pentesting people can clarify, that's kind of summarized, right? From a response standpoint, you do the same kind of thing. You start to plan or prepare. You identify and you contain, and then you remediate, and then you recover, and then you basically learn and disseminate that information out to the team. Does that sound about right? Just curious. Cool. And OSN is kind of like that, right? Plan, prepare, identify, and collect. Process the information, do analysis on it. Determine how you're going to deal with the production of that information, who you're going to give it to. And learn and disseminate that information. But it seems like everything's a five step process. What happened to 12 steps? Does anybody have a beer? I'm really egging for one right now. So why use a data forensics incident response automation orchestration tool? Because it's built to gather evidence. If you've used any kind of DFIR tool, they're really built around that. It's case management. It's built around gathering evidence. Maltigo does this, of course, and it does it pretty well. And the big guys like Palantir, I think, do that. The other thing that DFIR tools do really well is they can integrate with a ton of shit out of the box. That to me is really useful. Unfortunately for my demo, you're not going to see quite much for that at the moment. But new tools can easily be added. You can pull data from one place to another, which is pretty cool. So you can ingest information into these new types of DFIR tools. And then you can push into other systems from one centralized place. OSN tools, it's a lot about ingestion, but it's not a lot about going out and doing anything after the fact. And why else? Because we need to automate or die, right? There's no snake oil reason. Well, because playbooks make it easy to automate. How many of you know what a playbook is? OK, cool. So you don't know much about data forensics, and it's a response, but you know a lot about playbooks. OK, well, the next question that would be is, you've seen a lot of these DFIR tools then, right? So obviously there's D'Amisto. That's who I work with. There's the high project. There's the high project is also open source. D'Amisto's product line is partially open source. The content's open source. There's Phantom, and I believe some of their stuff's open source as well. There's Swimlane, Resolent, Simplify, CyberTourage, and Command, I think just got acquired not too long ago by Rapid7. So that might be something to check out too. All of those have automation frameworks built in, and most of them are in Python or JavaScript and allow you to start gluing in all of these tools right in the framework, or excuse me, into their ecosystem and things like that. So I have a question for everybody here. I'm trying to really make this a little bit more interactive. What is the standard of building a playbook? Does anybody here know? So everybody's heard of playbooks. They've seen them. Everybody knows what a playbook is, but has anybody here heard of the standard? Well, I actually found one. There is a standard. The ICD standard says, and this is from John Hopkins University or some shit, has anybody in the room ever read instant response policies and plans? It's more legal speak than it is actually what you need to do. And that's kind of what this standard says. And I'm not trying to dishonor it or anything like that. Yes, I said dis, I'm at that age. But basically, when I look at that, I was like, this is really academic for really explaining what a playbook does, because it's really just a step-by-step process of glue shit together. OK, that's it. So the thing is that when you have, like, Maltigo has transformations, but can you glue those together from end to end is what I'm asking here. Can you actually take Maltigo transformations, or can you take, like, Palantir? I've seen it. I've played with it, but I don't know it well enough to know. Can you glue tasks together from that and take the information and start to do things with it? Is that something that's possible? I don't know. So that's kind of what I'm asking. So this is an example of a playbook. And this is in a graphical form. You could write it down. An instant response plan should be written down. And you should have several of them. I've actually gone out and written some, embarrassingly enough. And the thing is that some of those plans are not specific enough to what you really need to do. So I mean, for example, how exhaustive are your instant response plans today? Are they pretty exhaustive? Are they book deep? And they explain, OK, for example, if something happened, social media would start going out. What you're supposed to do about that? Or do they just really say, well, contact Joe, or contact Bob, or contact Lacey, or anything like that? Does that kind of what you hear or see? Anybody? OK. Well, before we begin, and like I said, I've got some bugs that's going on right now. I had to reboot a server. So I'm just going to show you kind of the process and the tool a little bit. And then what I will do after this is I'll make a video where I'll get team people to basically make a video of the process that I want to go through. And the other thing that I'm trying to do is really go back to the community and gain process information for different strategies that they would use for OSN gathering of information. That's kind of why I'm here. What I'm here to do is kind of explain, OK, you have play books, everybody understands them. Maybe I'm a noob, and I just don't know. And that's certainly possible. But what I'd like to see is a process to go through that says, OK, here's what you can do. And I'm going to build that out so that I can automate that from multiple different tools that are out there. And if you've seen, Intrigue is a great tool. It has a lot of different integrations. Maltigo's got a lot of different integrations. But what I want to see is play books on how to actually use those integrations. And for me, I have ideas, but I want to start pulling people on both sides, from the pen testing side, from the data forensics and the response community, and from the open source intelligence community, and start to actually gather information around those play books. Because to me, that allows you to automate things end to end, or at least to the point where a person gets information, not just in one place, but is able to take action on it. I think that's something with OSN data. It's like, well, you create a report and you just handed somebody. I don't know. That's kind of what I've seen. So before we get started, let's ask a couple basic questions. And the reason I said this for noobs and stuff is because, for me, I've gone through a lot of online stuff. I've gone through a lot of reading, things like that. And I was like, OK, I need to kind of process this in a way that I can kind of break it down to my simple terms. I'm like fours of gum, kind of slow. So I have to break things down really slowly, right? So planning. The big thing is, you want to start out, and you want to ask the question of, do we have a plan, purpose, or target? Now, out of all the talks I've seen in general and books I've read and things like that, there seems to be a lot of bouncing around when it comes to having a plan for the purpose of what you're trying to do with a target, unless you have a mission or goal for what you're trying to do with the information. And so that, to me, is something like, OK, having an idea for what you're going to do with the information, I think is much bigger than what you're trying to target or what the purpose is of what you're trying to target. That makes any bit of sense. Then you want to identify what kind of information are we going to collect, like I said? What's the kind of information you want to go for? Is this ethical or legal? As you can see, I've got a really big flaw in my slide there. And how are we going to process the information and what tools? Who can collaborate and do analysis with you on it? And so this is a big piece of why I'm trying to show you this type of tool that does data forensics answer response for OSN, is because has anybody here done OSN on CTF and things like that? Basically, how do you collaborate today right now? Do you use any kind of tool right now to collaborate, like Slack for the CTFs or anything like that? OK, so if you Slack, then this is kind of a quick demo. How long do we have to investigate? Well, I have about five minutes, so I've got to hurry. And I'm going to show you a quick example demo, OK? So this is the tool of the company I work for. It's called Demisto. And if you want a really fun project sometime, there's a little tiny QR code over there in the left-hand corner that would be kind of cool to you take home and look at. It's a nice open source intelligence, fun thing to do. Anyway, so the way this tool works is it has integrations and everything is pretty much command line driven or it's driven by playbooks. And a simple playbook like I was trying to show is, if I can get the load. Well, basically, let me see if I can get any of these to load, but on the other hand side, you see here you have settings, automations, playbooks, indicators, reports, dashboards, jobs, and instance, and what ends up happening is you go through and you create a new incident, you start to associate it to a playbook. And from that point then, what happens is it allows you to assign that incident to somebody. Just like a data forensic incident response tool does today allows you to assign a case to somebody, or like a visitor ticket, or if it was a different type of ticketing system or case management system. From that point though, what's neat about this tool, it's not loading at the moment, but is that you can go and actually, from the incident, you can start to invite people in and collaborate on a goal or a mission or on a particular topic or the type of target you're trying to go after. I'm sorry I don't have connection at the moment, but that's pretty much all I've got. So what I will say is this. If you want to check the tool out, you can go on demisto.com. It's free, it's downloadable, the content's open source. And from there, you can start to look at, there's a ton of videos out there online about this. And I'll put together a video that'll show actually full demonstration end-to-end of how to use this for open source intelligence. Does that sound reasonable? Yeah, it's called demisto, d-e-m-i-s-t-o.com. We also have a community for about 1,400 different data forensics and incident response people today on Slack. And if anybody wants to connect with me afterwards, just let me know, and I'll get you a free copy and all that stuff and set up. But I do want to show a video of this. And I'm sorry that I'm not able to connect right now at this moment, but that's all I have. Wait for the package to come.