Request Tracker for Incident Response
Carlos Fuentes IRIS-CERT/RedIRIS What RT is
● RT is a cke ng system ● Help keep you organized ● Issue tracking . Trouble cke ng . Workflow . Helpdesk . Customer Service . Process management . Bug Tracking
2 What RTIR is
● RT for Incident Response ● Ticke ng system ● Designed for CERT/CSIRT teams ● Originally designed for JANET-CERT ● Generalized for a “standard” process . TF-CSIRT RTIR Working Group
3 Designed for CSIRT Teams ● Metadata ● Workflows ● Views ● Plugins
4 Differences from RT
● RTIR is RT
… with more features, a custom interface and special configura on
5 What RTIR does ● Keeps track of incidents ● Keeps track of correspondence ● Keeps an uneditable history ● Makes incident research easier ● Tracks your SLA commitments ● Integrates with your other systems ● Takes care of the ‘boring’ parts of Incidents Response
6 The RTIR Workflow RTIR Homepage
8 The Concept
● Incidents e everything together ● One Incident for . Many Incident Reports • Someone has a complaint of our cons tuency . Many Inves ga ons • IRT a empts to get the root of the problem . Many Blocks • Track network level interven on against threat
9 RTIR Rela onships
10 Incident Reports
● It usually starts with a Incident Report . Conversta ons with complainers • Something bad happened • Please help me . Related to our cons tuency . Coming from • Mail • Telephone • FAX • Internal/External Automa c Detec on System
11 Incident Reports LifeCycle
12 Incident Reports Worflow
13 Create an IR
14 Create an IR #2
15 IR Details
16 IR History
17 Incident Report Reply
18 Incident Report History
19 Incidents ● Once reported, the team tracks an Incident . Tracking what actually happened . Private / Internal . Tie everything togehter
20 Incident Lifecycle
21 Incident Workflow
22 Create an Incident
23 Incident Details
24 Incident Details #2
25 Incident History
26 Incident Inves ga on
27 Inves ga ons ● The teams starts an Inves ga on . Internal Research and Discovery . Conversa ons with external partners • Law Enforcements • Network Providers • Experts • Other CSIRTs . Everyone who acts for resolving the issue
28 Inves ga on Lifecycle
29 Launch Inves ga on
30 Launch Inves ga on
31 Inves ga ons Details
32 Inves ga ons History
33 Data Detectors
34 Automa c IP Detec on
35 Data Detectors
36 Research Tools
37 SSC & RT-IR Integra on
● New features developed: . Integra on with GOCDB • Customer CF’s values: List of the sites • Incident Report & Inves ga ons
. Web Service for Inves ga on Crea on Script / • Allows us to launch an inves ga on RT-IR GOCDB Human for a site • Using a predefined RTFM template • Deliver to Site Security Officer and Searching for contacts NGI Security officer • Params required: – Exact name of the site Crea on Inc / Inv & Delivering the mail – Template ID
Results
38 SSC & RT-IR Integra on . Update SSC DB Script Ac on • Allows us to store the answers from site in the SSC DB
39 Using RTIR Technical Informa on
● Cost of RTIR: $0 ● Cost of required so ware: $0 ● Cost of required hardware: ??? ● Opera ng System . Unix/Linux/FreeBSD/MacOS X/Solaris/etc … ● Database . MySQL 4.1 or 5.0, PostgreSQL 8.x, Oracle 9.x or 10.x, SQLite (for tes ng) ● Web Server . Apache, lighth pd, Standalone pure-perl server
41 Ge ng RTIR
● h p://bestprac cal.com/r r ● p:// p.rediris.es/rediris/cert/r r/ CentOSRTIR.tgz . Vmware image for tes ng . Provided by RedIRIS
42 RT & RTIR Community
● h p://wiki.bestprac cal.com - h p://www.r r.org