0
RT and RT for
Incident Response
    Jesse Vincent, Best Practical Solutions


http://fsck.com/~jesse/talks/2008/09/rtir.pdf
Carlos Fuentes Bermejo

 RTIR WG - Primary Technical Contact
 RedIRIS IRIS-CERT - Security Specialist
 Si habla español
 C...
Jesse Vincent

Designed RT and RTIR
 (It’s all my fault)
Founded Best Practical
 (It’s even more my fault)
No puedo presen...
¡AVISO!

WARNING!
I represent a
software vendor
We sell support,
training, consulting and
 customization for RT,
    RTIR and RTFM
This talk could be
dangerously close to a
      sales pitch
I’m not a sales guy
All the software we
make is open source
We created RT to
help sysadmins and
   helpdesk staff
We helped create RTIR
to let CERT teams be
    more effective
I want you to use RTIR
(or RT) for free - forever
I will be happy if you
  use them for free
(Now do you believe
that I’m not a sales guy?)
About RT
RT is a Ticketing System
RT helps keep you
    organized
Every conversation gets
 a number, a status and
       an owner
RT helps keep your
 customers happy
RT sends an autoreply and
ticket number when they
    report a problem
RT helps keep your team
    from going crazy
You know what’s been
  done – and when
RT helps you show your
bosses how hard you work
It’s easy to run reports
 on all kinds of metrics
RT builds an ad-hoc
  knowledge base
(RTFM helps you build an
explicit Knowledge Base)
Some RT history...
Created in 1996
First public release in 1997
2.0 released in 1999
Best Practical formed in 2001
RTIR Cr...
What is RT used for?
Issue Tracking      Process Management

Trouble Ticketing   Bug Tracking

Incident Handling   Sales L...
RT Homepage
Ticket Details
Ticket History
Ticket Update
RT Core Concepts
Tickets
Queues
Custom Fields
Scrips
Access Control
Email Gateway
Internationalization
Tickets

Track issues
Have unique id #s
Keep a history of correspondence
Have one owner
  (And a bunch of other metadata)
Queues

High-level grouping of tickets
Each can have its own
  Access Control
  Business Logic (Scrips)
  Custom Fields
Custom Fields
Track your own ticket metadata
 Freeform (optional validation)
 Select (one or many)
 Text block
 Upload file...
Scrips
Custom business logic
  (Also how RT sends mail)
Each is built from
  Condition
  Action
  Template
Access Control


User, Group or Role based
Global and Per-queue rights
Email Gateway

RT was first made to replace a mailing list
RT is designed for email interaction
  (and web. and command lin...
Internationalization
Fully native UTF8 internally
Speaks 22 languages
Handles inbound and outbound email
encoding
Contribu...
More RT Features
Charts and Reports       Ticket Locking
Dashboards               Web API
Self-service interface   Perl AP...
The RT Community
http://bestpractical.com/rt

http://wiki.bestpractical.com

rt-es-subscribe@lists.bestpractical.com

rt-u...
Quick Start (For testing)
wget http://download.bestpractical.com/
 pub/rt/release/rt.tar.gz

tar xzvf rt.tar.gz

cd rt-3.8...
RTIR: RT For Incident
      Response
What is RTIR?

Ticketing System
RT for Incident Response
Designed for CERT/CSIRT Teams
Designed for a CERT team - JANET-CE...
Differences from RT


RTIR is RT
...with more features, a custom interface
and special configuration
Designed for
CERT/CSIRT Teams

Metadata - IPs, SLAs, Constituency, etc
Workflows - Streamline your job
Views - Show what yo...
We designed RTIR to help you
     get your job done
RTIR keeps track of
     incidents
RTIR keeps track of
 correspondence
RTIR keeps an
uneditable history
RTIR makes incident
  research easier
RTIR tracks your
SLA commitments
RTIR integrates with
your other systems
RTIR takes care of the
   ‘boring’ parts of
 Incident Response
RTIR Basics

Incident Reports
Incidents
Investigations
Blocks
RTIR History
RTIR 1.0

Sponsored by JANET-CERT
Replaced a homebuilt Remedy system
Built on RT 3.0
2003
RTIR 1.0 Features

Clickable ‘Data Detectors’
IP/Domain/Address Lookup Tool
RTIR Automated Rules
SLA Monitoring
Business-H...
RTIR WG Members
JANET CSIRT/UKERNA    ACOnet-CERT
(Chair of project)
                      LITNET CERT
IRIS-CERT/RedIRIS
(...
RTIR 2
Sponsored by TERENA RTIR WG
Initial vision by JANET-CERT
Design collaboration between RTIR WG
and Best Practical
Bu...
RTIR 2.4 New Features
 PGP Integration           Message Forwarding

 Ticket Locking            Bulk Actions

 Ticket Agin...
RTIR 2.4 New Features
 Improved Automation      Improved UI

 Improved Searching       More flexible workflow

 Improved Cus...
The RTIR Workflow
RTIR Homepage
RTIR is built around
      Incidents
Incidents tie everything together
One Incident for
  many Incident Reports
  many Inv...
It usually starts with an
     Incident Report
 Conversations with Customers


 “Something bad happened!”
 “Please help me...
Create an IR
Create an IR #2
IR Details
IR History
Incident Report Reply
Incident Report History
Once reported, the
team tracks an Incident

 Track what actually happened
 Private / Internal
 Tie everything together
Create an Incident
Incident Details
Incident Details #2
Incident History
The team starts an
    Investigation
Internal Research and Discovery
Conversations with external partners
 Law Enforcement...
Launch Investigation
Launch Investigation
Investigation Details
Investigation History
Sometimes the easiest
 answer is just a Block
 Records of network blockades
 Tied to an Incident
 Could auto-update firewal...
Create a Block
Automatic IP Detection
Automatic IP Detection
Data Detectors
Research Tools
You should be using
   RTIR (or RT)
Cost of RTIR: $0
Cost of required
 software: $0
Cost of required
 hardware: $0?
Operating System


Unix/Linux/FreeBSD/MacOS X/Solaris/etc
(We don’t do Windows)
Database

MySQL 4.1 or 5.0
PostgreSQL 8.x
Oracle 9x or 10.x
SQLite (for testing)
Web Server

Apache
  mod_perl or FastCGI
lightttpd
  FastCGI
Standalone pure-perl server
RT & RTIR Community
 http://bestpractical.com/rtir/

 http://wiki.bestpractical.com - http://rtir.org

 rtir-subscribe@lis...
¡Muchas gracias!


                            ¿Preguntas?
                http://fsck.com/~jesse/talks/2008/09/rtir.pdf

...
Upcoming SlideShare
Loading in...5
×

A brief introduction to RTIR

4,161

Published on

A brief introduction to RTIR as presented to the UNAM.mx Congreso de Seguridad en Cómputo

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,161
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
72
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "A brief introduction to RTIR"

  1. 1. RT and RT for Incident Response Jesse Vincent, Best Practical Solutions http://fsck.com/~jesse/talks/2008/09/rtir.pdf
  2. 2. Carlos Fuentes Bermejo RTIR WG - Primary Technical Contact RedIRIS IRIS-CERT - Security Specialist Si habla español Couldn’t be here today :( http://fsck.com/~jesse/talks/2008/09/rtir.pdf
  3. 3. Jesse Vincent Designed RT and RTIR (It’s all my fault) Founded Best Practical (It’s even more my fault) No puedo presentar en español. Lo Siento. http://fsck.com/~jesse/talks/2008/09/rtir.pdf
  4. 4. ¡AVISO! WARNING!
  5. 5. I represent a software vendor
  6. 6. We sell support, training, consulting and customization for RT, RTIR and RTFM
  7. 7. This talk could be dangerously close to a sales pitch
  8. 8. I’m not a sales guy
  9. 9. All the software we make is open source
  10. 10. We created RT to help sysadmins and helpdesk staff
  11. 11. We helped create RTIR to let CERT teams be more effective
  12. 12. I want you to use RTIR (or RT) for free - forever
  13. 13. I will be happy if you use them for free
  14. 14. (Now do you believe that I’m not a sales guy?)
  15. 15. About RT
  16. 16. RT is a Ticketing System
  17. 17. RT helps keep you organized
  18. 18. Every conversation gets a number, a status and an owner
  19. 19. RT helps keep your customers happy
  20. 20. RT sends an autoreply and ticket number when they report a problem
  21. 21. RT helps keep your team from going crazy
  22. 22. You know what’s been done – and when
  23. 23. RT helps you show your bosses how hard you work
  24. 24. It’s easy to run reports on all kinds of metrics
  25. 25. RT builds an ad-hoc knowledge base
  26. 26. (RTFM helps you build an explicit Knowledge Base)
  27. 27. Some RT history... Created in 1996 First public release in 1997 2.0 released in 1999 Best Practical formed in 2001 RTIR Created in 2003 RTIR WG Started in 2005 RTIR 2.4 Released 2008 (Last week!)
  28. 28. What is RT used for? Issue Tracking Process Management Trouble Ticketing Bug Tracking Incident Handling Sales Leads Workflow Youth Counseling Helpdesk Home Rentals Customer Service
  29. 29. RT Homepage
  30. 30. Ticket Details
  31. 31. Ticket History
  32. 32. Ticket Update
  33. 33. RT Core Concepts Tickets Queues Custom Fields Scrips Access Control Email Gateway Internationalization
  34. 34. Tickets Track issues Have unique id #s Keep a history of correspondence Have one owner (And a bunch of other metadata)
  35. 35. Queues High-level grouping of tickets Each can have its own Access Control Business Logic (Scrips) Custom Fields
  36. 36. Custom Fields Track your own ticket metadata Freeform (optional validation) Select (one or many) Text block Upload files or images Custom data sources Per-field access control
  37. 37. Scrips Custom business logic (Also how RT sends mail) Each is built from Condition Action Template
  38. 38. Access Control User, Group or Role based Global and Per-queue rights
  39. 39. Email Gateway RT was first made to replace a mailing list RT is designed for email interaction (and web. and command line) RT mediates and tracks all discussions
  40. 40. Internationalization Fully native UTF8 internally Speaks 22 languages Handles inbound and outbound email encoding Contribute at https://translations.launchpad.net/rt/
  41. 41. More RT Features Charts and Reports Ticket Locking Dashboards Web API Self-service interface Perl API Feeds CLI tools RTFM Customizability PGP Support Themability The RT Community Ticket Aging
  42. 42. The RT Community http://bestpractical.com/rt http://wiki.bestpractical.com rt-es-subscribe@lists.bestpractical.com rt-users-subscribe@lists.bestpractical.com rt-devel-subscribe@lists.bestpractical.com
  43. 43. Quick Start (For testing) wget http://download.bestpractical.com/ pub/rt/release/rt.tar.gz tar xzvf rt.tar.gz cd rt-3.8.1 make fixdeps ./bin/standalone_httpd
  44. 44. RTIR: RT For Incident Response
  45. 45. What is RTIR? Ticketing System RT for Incident Response Designed for CERT/CSIRT Teams Designed for a CERT team - JANET-CERT Generalized for a ‘standard’ process
  46. 46. Differences from RT RTIR is RT ...with more features, a custom interface and special configuration
  47. 47. Designed for CERT/CSIRT Teams Metadata - IPs, SLAs, Constituency, etc Workflows - Streamline your job Views - Show what you need Plugins - Lookups, Locking, ‘Shredding’, etc
  48. 48. We designed RTIR to help you get your job done
  49. 49. RTIR keeps track of incidents
  50. 50. RTIR keeps track of correspondence
  51. 51. RTIR keeps an uneditable history
  52. 52. RTIR makes incident research easier
  53. 53. RTIR tracks your SLA commitments
  54. 54. RTIR integrates with your other systems
  55. 55. RTIR takes care of the ‘boring’ parts of Incident Response
  56. 56. RTIR Basics Incident Reports Incidents Investigations Blocks
  57. 57. RTIR History
  58. 58. RTIR 1.0 Sponsored by JANET-CERT Replaced a homebuilt Remedy system Built on RT 3.0 2003
  59. 59. RTIR 1.0 Features Clickable ‘Data Detectors’ IP/Domain/Address Lookup Tool RTIR Automated Rules SLA Monitoring Business-Hours Logic
  60. 60. RTIR WG Members JANET CSIRT/UKERNA ACOnet-CERT (Chair of project) LITNET CERT IRIS-CERT/RedIRIS (Technical contact) SUNet CERT CERT POLSKA SWITCH-CERT CERT.PT GOVCERT.NL
  61. 61. RTIR 2 Sponsored by TERENA RTIR WG Initial vision by JANET-CERT Design collaboration between RTIR WG and Best Practical Built on RT 3.8 RTIR 2.4 released September 2008
  62. 62. RTIR 2.4 New Features PGP Integration Message Forwarding Ticket Locking Bulk Actions Ticket Aging Quick Actions Database Pruning Per-User Timezones RTFM Integration IP Address Range Fields
  63. 63. RTIR 2.4 New Features Improved Automation Improved UI Improved Searching More flexible workflow Improved Customization More user preferences Improved Reporting Easier Integration Improved Testing Improved Performance
  64. 64. The RTIR Workflow
  65. 65. RTIR Homepage
  66. 66. RTIR is built around Incidents Incidents tie everything together One Incident for many Incident Reports many Investigations many Blocks
  67. 67. It usually starts with an Incident Report Conversations with Customers “Something bad happened!” “Please help me!”
  68. 68. Create an IR
  69. 69. Create an IR #2
  70. 70. IR Details
  71. 71. IR History
  72. 72. Incident Report Reply
  73. 73. Incident Report History
  74. 74. Once reported, the team tracks an Incident Track what actually happened Private / Internal Tie everything together
  75. 75. Create an Incident
  76. 76. Incident Details
  77. 77. Incident Details #2
  78. 78. Incident History
  79. 79. The team starts an Investigation Internal Research and Discovery Conversations with external partners Law Enforcement Network Providers Experts
  80. 80. Launch Investigation
  81. 81. Launch Investigation
  82. 82. Investigation Details
  83. 83. Investigation History
  84. 84. Sometimes the easiest answer is just a Block Records of network blockades Tied to an Incident Could auto-update firewalls (Optional Feature)
  85. 85. Create a Block
  86. 86. Automatic IP Detection
  87. 87. Automatic IP Detection
  88. 88. Data Detectors
  89. 89. Research Tools
  90. 90. You should be using RTIR (or RT)
  91. 91. Cost of RTIR: $0
  92. 92. Cost of required software: $0
  93. 93. Cost of required hardware: $0?
  94. 94. Operating System Unix/Linux/FreeBSD/MacOS X/Solaris/etc (We don’t do Windows)
  95. 95. Database MySQL 4.1 or 5.0 PostgreSQL 8.x Oracle 9x or 10.x SQLite (for testing)
  96. 96. Web Server Apache mod_perl or FastCGI lightttpd FastCGI Standalone pure-perl server
  97. 97. RT & RTIR Community http://bestpractical.com/rtir/ http://wiki.bestpractical.com - http://rtir.org rtir-subscribe@lists.bestpractical.com rt-es-subscribe@lists.bestpractical.com rt-users-subscribe@lists.bestpractical.com rt-devel-subscribe@lists.bestpractical.com
  98. 98. ¡Muchas gracias! ¿Preguntas? http://fsck.com/~jesse/talks/2008/09/rtir.pdf Jesse Vincent - jesse@bestpractical.com - +1 617 812 0745
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×