RT for Incident Response (RTIR) Andy Bone JANET-CERT Manager
What is RTIR A tool for incident handling Currently in Beta
Why Change History Increasing volume of incidents Requirement for multiple person triage System struggling to cope Need to increase resilience (BCP) Increase automation
JANET-CERT was using Remedy-ARS / IMAP based tool Unmaintained Designed for small team and smaller friendlier internet Required manual interaction for each incoming message New development would have been costly Limited platform support History Little built in workflow or integration with external tools Hard for multiple staff to work in parallel on the same incident
History What we wanted to do Allow JANET-CERT staff to manage increasing workload effectively Provide a base for other IR teams to build new tools Be easily extensible as new services need to be provided Save money
History How did we start Began by mapping workflow (through triage) Define requirements >
Define Requirements The buzz words Usable Cross platform Open-source Maintainable using current team skills Extensible using current team skills Securable Supported
History How did we start Began by mapping workflow (through triage) Define requirements > Evaluate current IHS solutions Request Tracker chosen >>
Request Tracker Chosen Why Request Tracker Designed to track issues It doesn t really care what sort What s it used for Bug tracking, helpdesk, customer service, abuse, network operations, sales lead tracking, to do lists. RT was close, but didn t have everything we needed
RT
RT
History How did we start Began by mapping workflow (through triage) Define requirements > Evaluate current IHS solutions Request Tracker chosen >> Extra development and support required >>>
New development What we wanted extra IRT specific workflows clicky data extraction and tracking whois integration >
whois
whois
New development What we wanted extra IRT specific workflows clicky data extraction and tracking whois integration > separate threads for each conversation convenient searching simple scriptable actions new reporting functionality tied into our new SLA requirement
History How did we start Began by mapping workflow (through triage) Define requirements > Evaluate current IHS solutions Request Tracker chosen >> Extra development and support required >>> Agree Statement of Work with Best Practical Work commenced Nov 2002 expected completion June 2003.
Home page
RTIR Structure Incident Reports Someone has a problem of some kind
Incident Reports
Incident Reports
RTIR Structure Incident Reports Someone has a problem of some kind Investigations IRT attempts to get to the root of the problem
Investigations
Investigations
RTIR Structure Incident Reports Someone has a problem of some kind Investigations IRT attempts to get to the root of the problem Blocks Track network level intervention against threat
Blocks
RTIR Structure Incident Reports Someone has a problem of some kind Investigations Blocks IRT attempts to get to the root of the problem Track network level intervention against threat Incidents Ties it all together. May have many related incident reports, investigations and blocks
Incidents
Incidents
Incidents
Incidents
The future Cross-IRT integration IODEF? RT-native integration Cross-tool integration PGP signing/validation Automatically create new incident reports for phenomena detected, but not if RT already knows about it. Auto-categorization of incoming incident reports? Other team implementations
Finding out more rtir-request@lists.bestpractical.com Closed list for incident response team staff http://www.bestpractical.com http:/www.bestpractical.com/pub/rt/release/rtir.tgz sales@bestpractical.com
Questions