Collaborative proces for dealing with security incidents
Dealing with security incidents is always a collaborative process, involving both your constituency and external players. There are a number of tools that help you with detecting (and preventing) incidents. One of those tools is for example the MISP – Malware Information Sharing Platform & Threat Sharing
But once you have an incident … how you deal with it? Everyone has (or should have) written their own incident response procedures but did you know that there’s also a collaborative process for dealing with this?
It’s called the Digital First Aid Kit and it’s on Github : https://github.com/RaReNet/DFAK.
This post explains how to visualize the information that’s in this digital first aid kit, or DFAK.
DFAK, or the Digital First Aid Kit for Incident Response
DFAK is build on Jekyll. It requires you to have Ruby v2.
Unfortunately the default Ubuntu 14 comes with Ruby 1.9. You can deal with this by using an external repository to upgrade to the newest version of Ruby.
Of course, before doing this do the usual update/upgrade drill
sudo apt-get update sudo apt-get upgrade
Once this is done, include the new repository.
sudo apt-add-repository ppa:brightbox/ruby-ng sudo apt-get update sudo apt-get install ruby2.2
You also need the ruby development packages for installing Jekyll. Do this with
apt-get install ruby2.2-dev
These steps prepared the Ruby environment that you need to run Jekyll. Obviously the next command is installing Jekyll itself.
gem install jekyll
This can take a while. Be patient and already think about how you would be able to contribute to the information in the DFAK.
Once Jekyll is installed you need to download the DFAK repository. This is easy if you have git installed.
git clone https://github.com/RaReNet/DFAK.git
As a last step in the Jekyll process you need to build the bundle. Do this via
sudo apt-get install bundler bundle install
Note that for the above command to be successful you have to be in the DFAK directory (depending on your setup you have to navigate to /var/www/html/DFAK before issuing the commands).
Display DFAK
The bulk of the information in the Digital First Aid Kit is stored in the Github pages but we are lazy and prefer a web interface to read the information.
If you followed the steps above you should have a working Jekyll environment in Ruby2. The next thing to do is build the web pages so that they can be displayed correctly.
Ruby comes with a build in web server. You can start it with
bundle exec jekyll serve
This will run the Jekyll server on localhost. This is inconvenient if you want to access it from another host. Without changing the local configuration you can get access to it by port forwarding the web server port through SSH.
ssh -L 4000:127.0.0.1:4000 user@192.168.218.2
The above command forwards the port 4000 to your host. One this is done you can browse the information in the first aid kit via your web browser.
Conclusion
The Digital First Aid Kit will not provide answers for dealing with all of your security incidents. But if you made a working incident response procedure, why not share it with the community and make your experience useful for everyone? Adding your requests or comments is easy via the Github interface.