Request Tracker for Incident Response
Carlos Fuentes IRIS-CERT/RedIRIS What RT is
● RT is a �cke�ng system ● Help keep you organized ● Issue tracking . Trouble �cke�ng . Workflow . Helpdesk . Customer Service . Process management . Bug Tracking
2 What RTIR is
● RT for Incident Response ● Ticke�ng system ● Designed for CERT/CSIRT teams ● Originally designed for JANET-CERT ● Generalized for a “standard” process . TF-CSIRT RTIR Working Group
3 Designed for CSIRT Teams ● Metadata ● Workflows ● Views ● Plugins
4 Differences from RT
● RTIR is RT
… with more features, a custom interface and special configura�on
5 What RTIR does ● Keeps track of incidents ● Keeps track of correspondence ● Keeps an uneditable history ● Makes incident research easier ● Tracks your SLA commitments ● Integrates with your other systems ● Takes care of the ‘boring’ parts of Incidents Response
6 The RTIR Workflow RTIR Homepage
8 The Concept
● Incidents �e everything together ● One Incident for . Many Incident Reports • Someone has a complaint of our cons�tuency . Many Inves�ga�ons • IRT a�empts to get the root of the problem . Many Blocks • Track network level interven�on against threat
9 RTIR Rela�onships
10 Incident Reports
● It usually starts with a Incident Report . Conversta�ons with complainers • Something bad happened • Please help me . Related to our cons�tuency . Coming from • Mail • Telephone • FAX • Internal/External Automa�c Detec�on System
11 Incident Reports LifeCycle
12 Incident Reports Worflow
13 Create an IR
14 Create an IR #2
15 IR Details
16 IR History
17 Incident Report Reply
18 Incident Report History
19 Incidents ● Once reported, the team tracks an Incident . Tracking what actually happened . Private / Internal . Tie everything togehter
20 Incident Lifecycle
21 Incident Workflow
22 Create an Incident
23 Incident Details
24 Incident Details #2
25 Incident History
26 Incident Inves�ga�on
27 Inves�ga�ons ● The teams starts an Inves�ga�on . Internal Research and Discovery . Conversa�ons with external partners • Law Enforcements • Network Providers • Experts • Other CSIRTs . Everyone who acts for resolving the issue
28 Inves�ga�on Lifecycle
29 Launch Inves�ga�on
30 Launch Inves�ga�on
31 Inves�ga�ons Details
32 Inves�ga�ons History
33 Data Detectors
34 Automa�c IP Detec�on
35 Data Detectors
36 Research Tools
37 SSC & RT-IR Integra�on
● New features developed: . Integra�on with GOCDB • Customer CF’s values: List of the sites • Incident Report & Inves�ga�ons
. Web Service for Inves�ga�on Crea�on Script / • Allows us to launch an inves�ga�on RT-IR GOCDB Human for a site • Using a predefined RTFM template • Deliver to Site Security Officer and Searching for contacts NGI Security officer • Params required: – Exact name of the site Crea�on Inc / Inv & Delivering the mail – Template ID
Results
38 SSC & RT-IR Integra�on . Update SSC DB Script Ac�on • Allows us to store the answers from site in the SSC DB
39 Using RTIR Technical Informa�on
● Cost of RTIR: $0 ● Cost of required so�ware: $0 ● Cost of required hardware: ??? ● Opera�ng System . Unix/Linux/FreeBSD/MacOS X/Solaris/etc … ● Database . MySQL 4.1 or 5.0, PostgreSQL 8.x, Oracle 9.x or 10.x, SQLite (for tes�ng) ● Web Server . Apache, lighth�pd, Standalone pure-perl server
41 Ge�ng RTIR
● h�p://bestprac�cal.com/r�r ● �p://�p.rediris.es/rediris/cert/r�r/ CentOSRTIR.tgz . Vmware image for tes�ng . Provided by RedIRIS
42 RT & RTIR Community
● h�p://wiki.bestprac�cal.com - h�p://www.r�r.org
● r�[email protected]�cal.com ● [email protected]�cal.com ● [email protected]�cal.com
43 Ques�ons Spanish Research & Academic Network
44