First Responder in Cyber Incident, Explained!


Roles of First Responder

1. Identifying the crime scene
2. Protecting the crime scene
3. Preserving temporary and fragile evidence
4. Collecting the complete information about the incident
5. Documenting all the findings
6. Packaging and transporting the electronic evidence.

Toolkit

1. A first responder toolkit is a set of tools that helps first responders collect genuine and presentable evidence. 
2. It helps first responders to understand the limitations and capabilities of electronic evidence at the time of collection.
3. First responders have to select the trusted computer forensics tool that gives output specific information.

Creating Toolkit

1. Create a trusted forensic computer or testbed
  • Choose the related operating system.
  • Completely sanitize the forensics computer
  • Install the operating system and required software
  • Update and patch the forensics computer
  • Install a file integrity monitor to test the integrity of the file system

2. Document the details of the forensics computer
  • Version name and type of the operating system
  • Name and types of different software
  • Name and types of the installed hardware

3. Document the summary of the collected tools
  • It helps the first responder to understand how a tool works
  • The summary comprises:
    • Acquisition of the tool
    • Detailed description of the tool
    • Working of the tool
    • Tool dependencies and the system effects

4. Test the tools
  • Test the collected tools on the forensics computer and examine the performance and output
  • Examine the affects of the tool on the forensics computer

Tools

  • Notebook Computers - Licensed Software, Bootable CD, External hard drives and Network cables.
  • Software tools - Encase Forensics, Forensic Tool Kit (FTK), ProDiscover, Hex Workshop, X-Ways Forensics.
  • Hardware Tools - Paraben forensics hardware, Digital Intelligence forensic hardware, Tableau Hardware accelerator, Wiebetech forensics hardware tools, Logicube forensics hardware tools.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Roles of First Responder 1. Identifying the crime scene 2. Protecting the crime scene 3. Preserving temporary and fragile evidence 4...

SNORT - Intrusion Detection/Prevention Systems

IDS stands for Intrusion Detection System and IPS stands for Intrusion Prevention System. IDS and IPS work on the same principle. They analyze packets that are coming from the outside network based on some set of rules from the known cyberattacks database. IDS/IPS both analyze the signature of the packets from the know cyberattack database. 

The difference between IDS/IPS is that IDS only detects the incoming attack and alerts the administrator to take action against the attack while the IPS not only detects but also stops the packet from being delivered based on sets of rules. 


Both IDS/IPS are kind of similar in the process as an antivirus which compares the signature of the application with the list of all malicious signatures that is stored in it. Most often IDS is deployed behind the firewall on the edge of the network whereas IPS will generally be placed at an edge of the network such as immediately inside an Internet Firewall. IPS requires more computational power for performing network prevention and detection. 


One most used IDS/IPS is SNORT. Snort is an open-source network intrusion detection system and intrusion prevention system.


Installation

Firstly, we need to make sure the OpenSSH server is installed on ubuntu which is by default installed but in case if it is not installed you can install it using the command apt-get install openssh-server.
  • Snort is available in the ubuntu package. To install, use the command, apt-get install snort*.
SNORT installation command
  • Meanwhile, you will get a pop-up asking on which interface you want to configure the SNORT. This will set up the network with its CIDR. 
Set up Interface
Your interface name will be different. Run ifconfig or ip a to check the name of the interface.
With these two simple steps, SNORT will be installed. Some files will be created in /etc/snort/ which is used to set up the SNORT application as IDS.

SNORT files location

Configuring SNORT as IDS:

  • Open the configuration file which is located at /etc/snort/snort.conf as a super user. You can use any text editor to open the file. 
  • Set the HOME_NET variable which is nothing but your network's IP. 
Change the HOME_NET value
  • After setting the HOME_NET variable, there are some sets of rules that are predefined for different services like SSH, FTP, Nmap, etc. 
  • A glimpse of rules is shown below which are located in /etc/snort/rules/. As the first rule, we see it says to alert the user if any packet comes to the HOME_NET variable on port 21.
FTP rules set
  • Now to make this rule active we need to start SNORT using the following command sudo snort -T -c /etc/snort/snort.conf -I ens33 (your interface).
Command to activate
  • To start the SNORT application, we need to run the following command sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens33.
Command to initiate
  • After this, whenever a request which could be an attack according to the rules. It will display the alert on the terminal.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

IDS stands for I ntrusion D etection S ystem and IPS stands for I ntrusion P revention S ystem. IDS and IPS work on the same pri...