© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

Request Tracker for Incident Response Request Tracker for Incident Response (RTIR)(RTIR)

Andy BoneAndy Bone

JANETJANET--CERT ManagerCERT Manager

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

Presentation Presentation OverviewOverview

•• Brief historyBrief history

•• Time Line to JANETTime Line to JANET--CERT ImplementationCERT Implementation

•• TrainingTraining

•• W G FindingsW G Findings

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

•• IRT specific workflowsIRT specific workflows•• ‘clicky’ metadata extraction and tracking‘clicky’ metadata extraction and tracking•• whois integrationwhois integration•• separate “threads” for each conversationseparate “threads” for each conversation•• highhigh--level overviewslevel overviews•• convenient searchingconvenient searching•• simple scriptable actionssimple scriptable actions•• new reporting functionalitynew reporting functionality

Changes from original RTChanges from original RT

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

RTIR Information RTIR Information Structures Structures

Incident ReportsIncident Reports•• Someone has a problem of some kindSomeone has a problem of some kind

InvestigationsInvestigations•• IRT attempts to get to the root of the problemIRT attempts to get to the root of the problem

BlocksBlocks•• Track network level intervention against threatTrack network level intervention against threat

IncidentsIncidents•• Ties it all together. May have many related Ties it all together. May have many related

incident reports, investigations and blocksincident reports, investigations and blocks

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

Where we are Where we are nownow

•• Version 1.0 released end of AugustVersion 1.0 released end of August•• In use by a number of teams throughout the In use by a number of teams throughout the

worldworld•• Tested and evaluated.Tested and evaluated.

•• Only free package (as far as we know) Only free package (as far as we know) specifically designed for IRT use.specifically designed for IRT use.

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

JANETJANET--CERT CERT Timeline to Timeline to ImplementationImplementation

•• Late 2002 began requirements document with BestPractical.Late 2002 began requirements document with BestPractical.•• Early 2003 BestPractical began coding Early 2003 BestPractical began coding •• Mid 2003 final code handover. Mid 2003 final code handover. •• Internal systems changeover was still progressing. Internal systems changeover was still progressing. •• November new systems in place and operational. November new systems in place and operational. •• Dec 1st (Monday morning) mail began entering RTIR system,Dec 1st (Monday morning) mail began entering RTIR system,

legacy incidents continued to be handled by old IMAP based slegacy incidents continued to be handled by old IMAP based system ystem •• End of December Only 2 legacy incidents remaining. 9,480 inciEnd of December Only 2 legacy incidents remaining. 9,480 incident dent •• Reports, 9,096 of misdirected spam. Launched 101 investigatioReports, 9,096 of misdirected spam. Launched 101 investigations. ns. •• Immediate issues. Immediate issues.

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

Immediate Immediate IssuesIssues

•• Some speed problems, work progressing on Some speed problems, work progressing on optimisation. optimisation.

•• Need a spam remedy to prevent it entering RT. Need a spam remedy to prevent it entering RT. Careful evaluation of Spamassassin ongoing Careful evaluation of Spamassassin ongoing

•• Minor bugs Minor bugs •• Integration with our probe/scan system ongoing.Integration with our probe/scan system ongoing.

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

Finding out Finding out moremore

rtirrtir--request@lists.bestpractical.comrequest@lists.bestpractical.com•• Closed list for incident response team staffClosed list for incident response team staff

http://www.training@bestpractical.comhttp://www.training@bestpractical.com

http://www.bestpractical.comhttp://www.bestpractical.com

http://www.bestpractical.com/rtir/http://www.bestpractical.com/rtir/

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

RTIR Working GroupRTIR Working Group

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

The training course for RT development was delivered yesterday by BestPractical, it was attended by 15 students and included the following subject areas:

Training

• RT's system architecture

• A guided tour of the RT source code

• Extension mechanisms you can use to customize RT

• How to tie RT into your existing authentication infrastructure

• Building your own tools that talk to the RT backend

• Automating common procedures

• Customizing RT's workflow to match your own

• How to write custom reports based on RT's data

Possibility of another if enough interest could be generated

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

RTIR RTIR WGWG

•• UNIRAS (UK)UNIRAS (UK)•• LITNETLITNET--CERT (Lit)CERT (Lit)•• SUNETSUNET--CERT (SU)CERT (SU)•• DFNDFN--CERT (DE)CERT (DE)•• ACONETACONET--CERT (AC)CERT (AC)•• IRISIRIS--CERT (SP)CERT (SP)

•• JANETJANET--CERT (UK)CERT (UK)•• CERTCERT--POLSKA (PL)POLSKA (PL)•• GOVCERT.NL (NL)GOVCERT.NL (NL)•• SWITCHSWITCH--CERT(CH)CERT(CH)•• CERTA (FR)CERTA (FR)•• CERNET (CRO)CERNET (CRO)

Teams Involved:Teams Involved:

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

RTIR RTIR WGWG

Agenda:Agenda:1.1. Welcome: (each team provided the following information)Welcome: (each team provided the following information)

•• Their current RTIR StatusTheir current RTIR Status•• Their expectations (Where they want RTIR to go)Their expectations (Where they want RTIR to go)

2.2. SupportSupport•• Bug FixesBug Fixes•• Major Work fixesMajor Work fixes

3.3. New areas of developmentNew areas of development4.4. FundingFunding5.5. Organisation of work group actionsOrganisation of work group actions6.6. AOBAOB7.7. Next MeetingNext Meeting

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

RTIR RTIR WGWG

Teams are at various stages of RTIR implementation:Teams are at various stages of RTIR implementation:from testing, through to full implementation, such as from testing, through to full implementation, such as

ACOnet and CERTACOnet and CERT--Polska.Polska.

Many have made changes to incorporate local working Many have made changes to incorporate local working practices.practices.

Teams RTIR status:Teams RTIR status:

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

RTIR RTIR WGWG

•• Bug fixesBug fixes•• Major work areasMajor work areas•• Bestpractical support packages.Bestpractical support packages.

Support:Support:

New Area’s of development:New Area’s of development:•• Multiple Instances on the same sourceMultiple Instances on the same source•• IODEF IntegrationIODEF Integration•• PGP/GPG PGP/GPG

•• ValidationValidation•• Updates by emailUpdates by email•• Signing/encryption from the front endSigning/encryption from the front end

•• Integrated Incidents (adding in advisories, published material eIntegrated Incidents (adding in advisories, published material etc) ?tc) ?

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

RTIR RTIR WGWG

General agreement that teams will help fund this project. General agreement that teams will help fund this project. BestPractical have stated that if support is purchased by teams BestPractical have stated that if support is purchased by teams then then even major costs could be kept to a minimum, or completed as pareven major costs could be kept to a minimum, or completed as part t of the support contract.of the support contract.

Possibility of using TERENA acting as a channel for contract andPossibility of using TERENA acting as a channel for contract andpayments, possibly through the TI.payments, possibly through the TI.

Funding:Funding:

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

RTIR RTIR WGWGWG Organisation and Agreements:WG Organisation and Agreements:

Some discussion on organisation was decided:

• Possibility of using a modified version of the eCSIRT code of conduct, to aid working relationships.

• Use the TF-CSIRT or RTIR mailing list for communication (which ever is deemed appropriate)

• A WG requirement will need to be created for BestPractical.

• A Statement of work will be required from BestPractical, which will require the signature of all parties.

• The Agreement with BestPractical will have milestones, which will need to be signed of with a majority of the teams in agreement (% to be decided).

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

RTIR RTIR WGWG

•• Possibility of a code security audit (Is there anyone out there?Possibility of a code security audit (Is there anyone out there?))

AOB:AOB:

Next Meeting:Next Meeting:•• To Be Arranged (hopefully beginning of Feb)To Be Arranged (hopefully beginning of Feb)•• Location (possibly London)Location (possibly London)•• Will be more of a requirements workshopWill be more of a requirements workshop•• If anyone would like to join the WG then contact meIf anyone would like to join the WG then contact me

© JANET Association trading as UKERNA 20034 TF-CSIRT Madrid 15 January 2004

Questions