RT for Incident Response (RTIR) Andy Bone JANET-CERT Manager

Save this PDF as:

Size: px
Start display at page:

Download "RT for Incident Response (RTIR) Andy Bone JANET-CERT Manager"


1 RT for Incident Response (RTIR) Andy Bone JANET-CERT Manager

2 Plan of action Brief Introduction RTIR Update Future of RT Discussion & Views W G Proposal mini BOF Me John Me (again) You lot (I hope) With your cooperation

3 RT for Incident Response (RTIR) John Green JANET-CERT

4 Overview It s designed to track issues It doesn t really care what sort What it gets used for Bug tracking, helpdesk, customer service, abuse, network operations, sales lead tracking, todo lists. Mason, perl, mysql, apache



7 What we wanted to do Allow JANET-CERT staff to manage increasing workload effectively Provide a base for other IR teams to build new tools Be easily extensible as new services need to be provided Save money

8 Starting over JANET-CERT contacted Best Practical We put together a plan to extend RT for Incident Handling RT was close, but didn t have everything we needed

9 New functionality in RTIR IRT specific workflows clicky metadata extraction and tracking whois integration separate threads for each conversation high-level overviews convenient searching simple scriptable actions new reporting functionality

10 How RTIR carves things up Incident Reports Someone has a problem of some kind Investigations IRT attempts to get to the root of the problem Blocks Track network level intervention against threat Incidents Ties it all together. May have many related incident reports, investigations and blocks


12 Incident Reports



15 Incidents




19 Where we are now Version 1.0 released end of August In use by a number of teams Tested and evaluated by many more Only package (as far as we know) specifically designed for IRT use

20 The future Cross-IRT integration IODEF? RT-native integration Cross-tool integration PGP signing/validation Continuing development and bugfixes

21 Finding out more Closed list for incident response team staff

22 RT for Incident Response (RTIR Moving On) Andy Bone JANET-CERT Manager

23 The Dream Although RTIR is still in its infancy we believe that we need to think about the future: What can we do: Leave it as it is. Each team go away and modify to its own specification. Create a consortium of teams within the TF-CSIRT to increase spending power and create a standard system.

24 Training Possible Training Course on RT/RTIR: Requested by CERT-POLSKA and ourselves. Bestpractical agreed but: Need minimum of 8 people. Facilities Smallish cost (negotiable and dependant on attendees)

25 Other Teams using RTIR Views and observations: ACOnet-CERT CERT-POLSKA Anyone out there Discussion

26 Proposal I would like like to propose, that we form a WG through the TF-CSIRT to investigate the future of RTIR. With a mind to: Investigate and prepare requirements for RTIR V 2. To form a consortium of like minded teams to cooperate with Bestpractical in the implementation of RTIR V 2. Investigate and organise training on RT/RTIR.

27 BOF We intend to hold a brief BOF during the tea break if any teams would like to talk about the way forward and are interested in joining a WG, please join us and express your views.

28 Questions