RT and RT for Incident Response

Transcription

1 RT and RT for Incident Response

2 Carlos Fuentes Bermejo RTIR WG - Primary Technical Contact RedIRIS IRIS-CERT - Security Specialist Si habla español Couldn t be here today :(

3 Jesse Vincent Designed RT and RTIR (It s all my fault) Founded Best Practical (It s even more my fault) No puedo presentar en español. Lo Siento.

4 WARNING

5 I represent a software vendor

6 We sell support, training, consulting and customization for RT, RTIR and RTFM

7 This talk could be dangerously close to a sales pitch.

8 I m not a sales guy

9 All the software we make is open source.

10 We helped create RTIR to let CERT teams be more effective.

11 I want you to use RTIR for free - forever.

12 I will be happy if you use it for free.

13 (Now do you believe that I m not a sales guy?)

14 About RT

15 RT is a Ticketing System

16 RT helps keep you organized.

17 Every conversation gets a number, a status and an owner.

18 RT helps keep your customers happy.

19 RT sends an autoreply and ticket number when they report a problem.

20 RT helps keep your team from going crazy.

21 You know what s been done, and when.

22 RT helps you show your bosses how hard you work.

23 It s easy to run reports on all kinds of metrics.

24 RT builds an ad-hoc knowledge base.

25 (With RTFM, you can build an explicit Knowledge Base)

26 Some RT history... Created in 1996 First public release in released in 1999 Best Practical formed in 2001 RTIR Created in 2003 RTIR WG Started in 2005 RTIR 2.4 Released 2008 (Last week!)

27 What is RT useful for? Issue Tracking Trouble Ticketing Workflow Helpdesk Customer Service Process Management Bug Tracking

28 RT Homepage

29 Ticket Details

30 Ticket History

31 Ticket Update

32 Ticket History

33 RT Core Concepts Tickets Queues Custom Fields Scrips Access Control Gateway Internationalization

34 Tickets Track issues Have unique id #s Keep a history of correspondence Have one owner (And a bunch of other metadata)

35 Queues High-level grouping of tickets Each can have its own Access Control Business Logic (Scrips) Custom Fields

36 Custom Fields Track your own ticket metadata Freeform (optional validation) Select (one or many) Text block Upload files or images Custom data sources Per-field access control

37 Scrips Custom business logic (Also how RT sends mail) Each is built from Condition Action Template

38 Access Control User, Group or Role based Global and Per-queue rights

39 Gateway RT was first made to replace a mailing list RT is designed for interaction (and web. and command line) RT mediates and tracks all discussions

40 Internationalization Fully native UTF8 internally Speaks 22 languages Handles inbound and outbound encoding Contribute at

41 More RT Features Charts and Reports Dashboards Self-service interface Feeds RTFM PGP Support Themability Ticket Aging Ticket Locking Web API Perl API CLI tools Customizability The Community

42 Where to get RT

43 Questions about RT? (Next up: RTIR)

44 RTIR RT for Incident Response

45 What is RTIR? Ticketing System RT for Incident Response Designed for CERT/CSIRT Teams Designed for a CERT team - JANET-CERT Generalized for a standard process

46 Differences from RT RTIR is RT...with more features, a custom interface and special configuration

47 Designed for CERT/CSIRT Teams Metadata Workflows Views Plugins

48 We designed RTIR to help you get your job done.

49 RTIR keeps track of incidents.

50 RTIR keeps track of correspondence.

51 RTIR keeps an uneditable history.

52 RTIR makes incident research easier.

53 RTIR tracks your SLA commitments.

54 RTIR integrates with your other systems.

55 RTIR takes care of the boring parts of Incident Response.

56 The RTIR Workflow

57 RTIR Homepage

58 RTIR is built around Incidents Incidents tie everything together One Incident for many Incident Reports many Investigations many Blocks

59 RTIR Relationships

60 It usually starts with an Incident Report Conversations with Customers Something bad happened! Please help me!

61 Incident Report

62 Incident Report

63 Create an IR

64 Create an IR #2

65 IR Details

66 IR History

67 Incident Report Reply

68 Incident Report History

69 Once reported, the team tracks an Incident Track what actually happened Private / Internal Tie everything together

70 Incident Lifecycle

71 Create an Incident

72 Incident Details

73 Incident Details #2

74 Incident History

75 Incident Investigation

76 The team starts an Investigation Internal Research and Discovery Conversations with external partners Law Enforcement Network Providers Experts

77 Investigation Lifecycle

78 Investigation Workflows

79 Launch Investigation

80 Launch Investigation

81 Investigation Details

82 Investigation History

83 Sometimes the easiest answer is just a Block (Optional Feature) Tied to an Incident Records of network blockades Could autoupdate firewalls

84 Create a Block

85 Data Detectors

86 Automatic IP Detection

87 Data Detectors

88 Research Tools

89 RTIR History

90 RTIR 1.0 Sponsored by JANET-CERT Replaced a homebuilt Remedy system Built on RT

91 RTIR 1.0 Features Clickable Data Detectors IP/Domain/Address Lookup Tool RTIR Automated Rules SLA Monitoring Business-Hours Logic

92 RTIR 2 Sponsored by TERENA RTIR WG Initial vision by JANET-CERT Design collaboration between RTIR WG and Best Practical Built on RT 3.8 RTIR 2.4 released September 2008

93 RTIR WG Members JANET CSIRT/UKERNA (Chair of project) IRIS-CERT/RedIRIS (Technical contact) CERT POLSKA ACOnet-CERT LITNET CERT SUNet CERT SWITCH-CERT CERT.PT GOVCERT.NL

94 RTIR 2.4 New Features PGP Integration Ticket Locking Ticket Aging Database Pruning Message Forwarding Bulk Actions Quick Actions Per-User Timezones RTFM Integration IP Address Range Fields

95 RTIR 2.4 New Features Improved Automation Improved Searching Improved Customization Improved Reporting Improved UI More flexible workflow More user preferences Easier Integration Improved Testing Improved Performance

96 Using RTIR

97 Cost of RTIR: $0

98 Cost of required software: $0

99 Cost of required hardware: $0?

100 Operating System Unix/Linux/FreeBSD/MacOS X/Solaris/etc (We don t do Windows)

101 Database MySQL 4.1 or 5.0 PostgreSQL 8.x Oracle 9x or 10.x SQLite (for testing)

102 Web Server Apache mod_perl or FastCGI lightttpd FastCGI Standalone pure-perl server

103 Getting RTIR

104 RT & RTIR Community [email protected] [email protected] [email protected] [email protected]

105 Muchas gracias! Questions? Jesse Vincent

106 Bonus!

107 Aim Institution - IP correlation Correlate automatically the IPs of the IRs, Invs and Blocks with its institutions Allow us an easiest way to address an investigation Statistic by institution What institution got more complaints at the end of the year When I say institution, it could be department

108 Requirements and Requirements Installation Main one!!! database which associates every institution or department with its IP allocation space LDAP, MySQL,, even a whois server Modify the Customer CustomField of IR and Invs queues to support external values You have to create your own library Has to have three functions: SourceDescription ExternalValues GetInstitutionByIP

109 Requirements and Install Download It will be in Extensions area Condition OnIPCreate Condition OnIPDelete

110 Workflow To: Cert Subject: Complaint is attacking our network. Incoming Mail RT & RTIR Box Answer: UNAM Query: Database Box Institution of is?

111

112