Developing Threat Intel with Slack

Slack, "Where Work Happens..". I always laugh when I read that- it should almost read "Where Work Happens... Sometimes". What's important here is "where real-time human conversations happen". In the early days, that was bulletin boards, chat-rooms and IRC. Later on it was instant messaging and your Facebook wall. Somewhere in the mix the idea of "work" chat evolved past email (and Yammer) into Slack and HipChat.

In a previous post I went into much more detail about what you can do with the different chat like technologies and their bots, but today I'm going to expand on the details of engagement. More specifically, using external apps to provide richer context to a conversation. What I mean by that is- in the midst of our busy CSIRT lives, sometimes we miss a step. Often times we get so wrapped up in an event, or conversation that we sometimes forget to do our due diligence on every threat indicator that's provided.

Some of these conversations move so quickly, that if we don't go back through the scroll, we're almost sure to miss that needle in the haystack. The one indicator that would have made all the difference in the breach that's about to happen 3 hours, days, weeks from now. Why would you? Probably half of the indicators discussed might be benign, right? The effort of having to go and research each one as its talked about might not be worth it, given the payout. Right? I don't know.. do you?

Bots Bots Bots!

Wouldn't it be nice to have a little, well-behaved birdie interject itself into your conversation when it discovered something interesting? Something where you didn't have to constantly type `/q example.com` each time an indicator floated by? Something that not only did a basic feed search, but also applied some predictive, machine-learning logic to the indicator AS you're reading the conversation? Wouldn't it be nice to be able to flag that indicator as part of the conversation such that, it shows up in a feed you're already pulling into your Bro sensor? Less leaving that important conversation because you actually have to do work- more, the work just happens BECAUSE OF the conversation for you.

This technology isn't new. Slack isn't new, chat bots aren't new but it's rising popularity helps us bring people into the indicator ecosystem who previously weren't. It both demonstrate how to integrate our threat intel platforms into the tools WHERE WE ARE rather than having to go to Yet Another Console. From our slack example we can easily pivot into other chat platforms, tools or even email. This specific example just helps us flush out the generalized pattern a bit.

The /q commands and even the passive indicator extraction is pretty trivial, where it gets more interesting is the ability to glean what was said AFTER the indicator was posted. Even more so, what was NOT said. Most of these newer style chat apps enable users to react to a message, which the Slack Real Time Messaging API (or "RTM") also captures. Which means, if someone gives your indicator a "thumbs up!", your bot can now capture that too, maybe do a little more secondary digging, increase confidence, throw in a different feed, etc.

It's Not [that] Creepy

From there, you can tie specific bot reactions to other workflows you might have enabled in Slack. For instance, opening a ticket, sending a notification, performing other work. If this were an old style 'Threat Platform' (eg: FaceBook clone) you'd likely have to spend some time customizing it and your other tools to bring the two together. In that process you'd likely lose some of the human related context in the jumble. With these types of processes, the work happens for you because it's aware of who and what you're talking about. This may seem a bit creepy, but correctly scoped has the potential to make your work much more predictably successful over time. Less steps missed, more context provided, more attacks thwarted.

While chat rooms can (and will always be somewhat) be distracting, sometimes it's that tiny context and human to human related context that can make all the difference. Capturing that subtle context in the midst of a hunt is what's powerful. It's what makes us unique as humans, we just need a little automation here and there to help us scale out.