RTIR FOR INCIDENT MANAGEMENT
What is RTIR? RTIR is the premiere open source incident handling system targeted forcomputer security teams Used by over a dozen CERT and CSIRT teams around the world for e.g.JANET CSIRT (UK's National Research and Education Network) A Web-based software programmed in Perl.
RTIR Components Major components: Web server (Apache mod perl-enabled) Database (MySQL, PostgreSQL) An email address to handle incoming tickets An SMTP server to send email out Required Perl modules
RTIR Features A workflow designed specifically for incident response Incident reports Incidents Investigations A web interface to administer the system Reports Generate text, HTML, or spreadsheet reports
Purpose To ensure that Computer Incident Response Team (CIRT) members carry out incident handlingduties consistently and effectively Follow an agreed work-flow pattern for the application Request Tracker for Incident Response(RTIR)
Incident HandlingDetection (Incident reported/detected)Triage (Incident assessed,categorised, prioritised & queued)Analysis (Research on what happened/who's affected)Incident response (Actions taken to resolve incident)
RTIR Ticketing System (1)Incident Reports New reports end up here, with a due date set according to your SLAs, and are displayed on theRTIR dashboard.Incidents Valid Incident Reports are turned into new Incidents Ticket or linked to existing ones with one click.Investigations Launching further analysis or investigation on the reported case.
RTIR Ticketing System (2)ConstituencyResponderIncident Report TicketThis ticket reaches tothe RTIR system viaemail/portalIncident Reported messages or iscreated manually bythe responder if itslodged via phone orfax.Incident ReportTicketManagerHandlerIncident TicketThis ticket is createdby the manager afterverifying the facts andgetting all detailsfrom the incidentreport ticket.Investigation TicketThis ticket iscreated by thehandler whiledoing theinvestigations andlinked to theincident ticketIncident TicketInvestigation Ticket
User Role & ResponsibilityThere are 3 main people in CIRT: Duty Officer (Responder) Triage Officer (Manager) Incident Handler (Analyst)
User Role & ResponsibilityDuty Officer Take care of all in-coming requests Carry out periodic or ad hoc activities dedicated to this role
User Role & ResponsibilityTriage Officer Deal with all incident reports that are reported by the duty officer Decide whether it is an incident that is to be handled by the team, when to handle it and who isgoing to be the incident handler according to the triage process. Control and monitor the whole incident.
User Role & ResponsibilityIncident Handler Deals with the incidents and its related investigations Analyzing data, creating workarounds, resolving the incident and communicating clearly about theprogress he has made to his triage officer and constituent(s)
RTIR Basic jectingticketsPriorityResolvingIncidents
RTIR Basic Functionalities (2)CommentThis link puts you in a form where you can enter a comment, just as ifyou had replied to mail from RTIR about a particular ticket. You can Cc:or Bcc: the comment if you wish.ReplyThis link puts you in a similar form to the comment one with two majordifferences:Take You can change the state of the request from the form. The reply is automatically sent to the requestor.Taking a Ticket assigns it to the person who takes it initially when it’s inan open state. Their ID goes into the Owner field. You may only Take aTicket if it is unowned -- if someone else already Owns the Ticket, thenyou have to Steal it from them to gain Ownership.
RTIR Basic Functionalities (3)StealStealing a Ticket re-assigns an already Owned ticket to you, instead of to itscurrent Owner. Useful in cases where the original Owner (as compared toyou) has become overburdened, under informed, fired, reassigned,amnesiac, promoted, or something else.SubjectChange the subject of a ticket. Note that RTIR does not keep track of theformer subject. If you would like it preserved, you are advised to enter acomment saying that you have changed the subject.QueueThis is how you move a ticket from one queue to another. Simply select thedestination queue from the menu and click. You may move a ticket fromany queue you can manipulate into any queue you can create tickets in.
RTIR Basic Functionalities (4)PriorityYou may change the current and/or Final Priority to reflect changes in theTicket's importance in the grand scheme of things.RejectingticketsA number of legitimate incoming messages, are for information only andonce Taken and examined need no further attention. If an Incident ticket isrejected you will have to key in the details about the rejection and submit itto the system. The [Quick Reject] button at the top of the Incident Reportwill change the report’s state to Rejected immediately. Rejected tickets arestill searched for IP address matches, and can be linked to Incidentsalthough they will only be displayed if their state is Open or Resolved.ResolvingIncidentsWhen an Incident requires no further action it can be closed. Children ofIncidents (Incident Reports, Investigations and Blocks) can be individuallyclosed during the lifecycle of an Incident once each has run its course.
RTIR Incident Handling Process Receiving an IncidentValidating the Incident ReportRejecting the TicketChecking Whether the Incident was reported earlierAssigning Incident Report Ticket to the Triage OfficerCreating an Incident TicketIncident priority and classificationLinking to an Existing IncidentReplying to the Incident ReportTriage ProcessCreating an Investigation TicketClosing an Incident TicketReporting
Thank youFor any enquiry forward your email to [email protected]
Incident Report Ticket Incident Ticket Investigation Ticket This ticket reaches to the RTIR system via email/portal messages or is created manually by the responder if its lodged via phone or fax. This ticket is created by the manager after verifying the facts and getting all details from the incident report ticket. This ticket is created by the