RT and RT for Incident Response

16,307 views

Published on

Published in: Technology

RT and RT for Incident Response

  1. 1. RT and RT for Incident Response
  2. 2. I represent a software vendor
  3. 3. We sell support, training, consulting and customization for RT, RTIR and RTFM
  4. 4. This talk could be dangerously close to a sales pitch.
  5. 5. I’m not a sales guy
  6. 6. All the software we make is open source.
  7. 7. We helped create RTIR to let CERT teams be more effective.
  8. 8. I want you to use RTIR for free - forever.
  9. 9. I will be happy if you use it for free.
  10. 10. (Now do you believe that I’m not a sales guy?)
  11. 11. About RT
  12. 12. RT is a Ticketing System
  13. 13. RT helps keep you organized.
  14. 14. Every conversation gets a number, a status and an owner.
  15. 15. RT helps keep your customers happy.
  16. 16. RT sends an autoreply and ticket number when they report a problem.
  17. 17. RT helps keep your team from going crazy.
  18. 18. You know what’s been done, and when.
  19. 19. RT helps you show your bosses how hard you work.
  20. 20. It’s easy to run reports on all kinds of metrics.
  21. 21. RT builds an ad-hoc knowledge base.
  22. 22. (With RTFM, you can build an explicit Knowledge Base)
  23. 23. Some RT history... Created in 1996 First public release in 1997 2.0 released in 1999 Best Practical formed in 2001 RTIR Created in 2003 RTIR WG Started in 2005 RTIR 2.4 Released 2008 (Last week!)
  24. 24. What is RT useful for? Issue Tracking Trouble Ticketing Workflow Helpdesk Customer Service Process Management Bug Tracking
  25. 25. RT Homepage
  26. 26. Ticket Details
  27. 27. Ticket History
  28. 28. Ticket Update
  29. 29. Ticket History
  30. 30. RT Core Concepts Tickets Queues Custom Fields Scrips Access Control Email Gateway Internationalization
  31. 31. Tickets Track issues Have unique id #s Keep a history of correspondence Have one owner (And a bunch of other metadata)
  32. 32. Queues High-level grouping of tickets Each can have its own Access Control Business Logic (Scrips) Custom Fields
  33. 33. Custom Fields Track your own ticket metadata Freeform (optional validation) Select (one or many) Text block Upload files or images Custom data sources Per-field access control
  34. 34. Scrips Custom business logic (Also how RT sends mail) Each is built from Condition Action Template
  35. 35. Access Control User, Group or Role based Global and Per-queue rights
  36. 36. Email Gateway RT was first made to replace a mailing list RT is designed for email interaction (and web. and command line) RT mediates and tracks all discussions
  37. 37. Internationalization Fully native UTF8 internally Speaks 22 languages Handles inbound and outbound email encoding Contribute at https://translations.launchpad.net/rt/
  38. 38. More RT Features Charts and Reports Ticket Locking Dashboards Web API Self-service interface Perl API Feeds CLI tools RTFM Customizability PGP Support Themability The Community Ticket Aging
  39. 39. Where to get RT http://bestpractical.com/rt
  40. 40. Questions about RT? (Next up: RTIR)
  41. 41. RTIR RT for Incident Response
  42. 42. What is RTIR? Ticketing System RT for Incident Response Designed for CERT/CSIRT Teams Designed for a CERT team - JANET-CERT Generalized for a ‘standard’ process
  43. 43. Differences from RT RTIR is RT ...with more features, a custom interface and special configuration
  44. 44. Designed for CERT/CSIRT Teams Metadata Workflows Views Plugins
  45. 45. We designed RTIR to help you get your job done.
  46. 46. RTIR keeps track of incidents.
  47. 47. RTIR keeps track of correspondence.
  48. 48. RTIR keeps an uneditable history.
  49. 49. RTIR makes incident research easier.
  50. 50. RTIR tracks your SLA commitments.
  51. 51. RTIR integrates with your other systems.
  52. 52. RTIR takes care of the ‘boring’ parts of Incident Response.
  53. 53. The RTIR Workflow
  54. 54. RTIR Homepage
  55. 55. RTIR is built around Incidents Incidents tie everything together One Incident for many Incident Reports many Investigations many Blocks
  56. 56. RTIR Relationships
  57. 57. It usually starts with an Incident Report Conversations with Customers “Something bad happened!” “Please help me!”
  58. 58. Incident Report
  59. 59. Incident Report
  60. 60. Create an IR
  61. 61. Create an IR #2
  62. 62. IR Details
  63. 63. IR History
  64. 64. Incident Report Reply
  65. 65. Incident Report History
  66. 66. Once reported, the team tracks an Incident Track what actually happened Private / Internal Tie everything together
  67. 67. Incident Lifecycle
  68. 68. Create an Incident
  69. 69. Incident Details
  70. 70. Incident Details #2
  71. 71. Incident History
  72. 72. Incident ! Investigation
  73. 73. The team starts an Investigation Internal Research and Discovery Conversations with external partners Law Enforcement Network Providers Experts
  74. 74. Investigation Lifecycle
  75. 75. Investigation Workflows
  76. 76. Launch Investigation
  77. 77. Launch Investigation
  78. 78. Investigation Details
  79. 79. Investigation History
  80. 80. Sometimes the easiest answer is just a Block (Optional Feature) Tied to an Incident Records of network blockades Could autoupdate firewalls
  81. 81. Create a Block
  82. 82. Data Detectors
  83. 83. Automatic IP Detection
  84. 84. Data Detectors
  85. 85. Research Tools
  86. 86. RTIR History
  87. 87. RTIR 1.0 Sponsored by JANET-CERT Replaced a homebuilt Remedy system Built on RT 3.0 2003
  88. 88. RTIR 1.0 Features Clickable ‘Data Detectors’ IP/Domain/Address Lookup Tool RTIR Automated Rules SLA Monitoring Business-Hours Logic
  89. 89. RTIR 2 Sponsored by TERENA RTIR WG Initial vision by JANET-CERT Design collaboration between RTIR WG and Best Practical Built on RT 3.8 RTIR 2.4 released September 2008
  90. 90. RTIR WG Members JANET CSIRT/UKERNA ACOnet-CERT (Chair of project) LITNET CERT IRIS-CERT/RedIRIS (Technical contact) SUNet CERT CERT POLSKA SWITCH-CERT CERT.PT GOVCERT.NL
  91. 91. RTIR 2.4 New Features PGP Integration Message Forwarding Ticket Locking Bulk Actions Ticket Aging Quick Actions Database Pruning Per-User Timezones RTFM Integration IP Address Range Fields
  92. 92. RTIR 2.4 New Features Improved Automation Improved UI Improved Searching More flexible workflow Improved Customization More user preferences Improved Reporting Easier Integration Improved Testing Improved Performance
  93. 93. Using RTIR
  94. 94. Cost of RTIR: $0
  95. 95. Cost of required software: $0
  96. 96. Cost of required hardware: $0?
  97. 97. Operating System Unix/Linux/FreeBSD/MacOS X/Solaris/etc (We don’t do Windows)
  98. 98. Database MySQL 4.1 or 5.0 PostgreSQL 8.x Oracle 9x or 10.x SQLite (for testing)
  99. 99. Web Server Apache mod_perl or FastCGI lightttpd FastCGI Standalone pure-perl server
  100. 100. Getting RTIR http://bestpractical.com/rtir
  101. 101. RT & RTIR Community http://wiki.bestpractical.com - http://rtir.org rtir-subscribe@lists.bestpractical.com rt-es-subscribe@lists.bestpractical.com rt-users-subscribe@lists.bestpractical.com rt-devel-subscribe@lists.bestpractical.com
  102. 102. Institution - IP correlation Aim Correlate automatically the IPs of the IRs, Invs and Blocks with its institutions Allow us an easiest way to address an investigation Statistic by institution What institution got more complaints at the end of the year ! When I say institution, it could be department
  103. 103. Requirements and Installation Requirements ¡¡¡Main one!!! database which associates every institution or department with its IP allocation space LDAP, MySQL, … , even a whois server Modify the “Customer” CustomField of IR and Invs queues to support external values You have to create your own library Has to have three functions: SourceDescription ExternalValues GetInstitutionByIP
  104. 104. Requirements and Install Download It will be in http://www.rtir.org, Extensions area Condition OnIPCreate Condition OnIPDelete

×