Using the Digital First Aid Kit for Incident Response

Collaborative proces for dealing with security incidents

Dealing with security incidents is always a collaborative process, involving both your constituency and external players. There are a number of tools that help you with detecting (and preventing) incidents. One of those tools is for example the MISP – Malware Information Sharing Platform & Threat Sharing

But once you have an incident … how you deal with it? Everyone has (or should have) written their own incident response procedures but did you know that there’s also a collaborative process for dealing with this?

It’s called the Digital First Aid Kit and it’s on Github :

This post explains how to visualize the information that’s in this digital first aid kit, or DFAK.

DFAK, or the Digital First Aid Kit for Incident Response

DFAK is build on Jekyll. It requires you to have Ruby v2.

Unfortunately the default Ubuntu 14 comes with Ruby 1.9. You can deal with this by using an external repository to upgrade to the newest version of Ruby.

Of course, before doing this do the usual update/upgrade drill

sudo apt-get update
sudo apt-get upgrade

Once this is done, include the new repository.

sudo apt-add-repository ppa:brightbox/ruby-ng
sudo apt-get update
sudo apt-get install ruby2.2

You also need the ruby development packages for installing Jekyll. Do this with

apt-get install ruby2.2-dev

These steps prepared the Ruby environment that you need to run Jekyll. Obviously the next command is installing Jekyll itself.

gem install jekyll

This can take a while. Be patient and already think about how you would be able to contribute to the information in the DFAK.

Once Jekyll is installed you need to download the DFAK repository. This is easy if you have git installed.

git clone

As a last step in the Jekyll process you need to build the bundle. Do this via

sudo apt-get install bundler
bundle install

Note that for the above command to be successful you have to be in the DFAK directory (depending on your setup you have to navigate to /var/www/html/DFAK before issuing the commands).

Display DFAK

The bulk of the information in the Digital First Aid Kit is stored in the Github pages but we are lazy and prefer a web interface to read the information.

If you followed the steps above you should have a working Jekyll environment in Ruby2. The next thing to do is build the web pages so that they can be displayed correctly.

Ruby comes with a build in web server. You can start it with

bundle exec jekyll serve

This will run the Jekyll server on localhost. This is inconvenient if you want to access it from another host. Without changing the local configuration you can get access to it by port forwarding the web server port through SSH.

ssh -L 4000: user@

The above command forwards the port 4000 to your host. One this is done you can browse the information in the first aid kit via your web browser.



The Digital First Aid Kit will not provide answers for dealing with all of your security incidents. But if you made a working incident response procedure, why not share it with the community and make your experience useful for everyone? Adding your requests or comments is easy via the Github interface.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.