About RTIR

RTIR: RT for Incident Response

RTIR vs RT

What special features do you get from RTIR?

Where RT is a top-of-the-line toolset, RTIR is a product built out of those tools to fulfill the specific needs of CERT teams. RTIR was developed in cooperation with JANET-CERT (JANET is the Education and Research network in the UK). JANET-CERT was interested in RT, but needed additional features to make it optimal for Incident Response. RTIR is the result, now available for all!

Incident Response Workflow

RTIR automatically creates four RT queues for tracking incidents: Incident Reports, Incidents, Investigations and Blocks.

  • Incident Reportsis where new reports appear. When a user sends email to the address you set up, RTIR automatically creates an Incident Report, and sets its due date according to your organization's SLA rules. New Incident Reports appear on the RTIR main page, ordered by due date.
  • Once you've verified that a new incident report is valid, you can create a new Incidentfrom it, or link the report to an existing incident. RTIR fills in relevant information from the Incident Report, so there's no need to cut-and-paste. If you receive multiple reports about the same issue, you can link all of these reports to the same parent Incident, to keep them together.
  • Blocksare used to track the blocks placed on the borders of the network. You can create them from an existing incident.
  • From an existing incident, you can launch an Investigationto an outside party, asking them to look into and/or fix the problem. Once again, relevant information from the Incident is filled in when you create the new investigation, so there's no need to cut-and-paste.

RTIR user interface has a workflow that is specially designed for the needs of IRTs. There are custom views for each kind of ticket.

Easy, clickable metadata lookups

RTIR makes relevant pieces of text (such as IP addresses, domain names, and URLs) clickable. Clicking on an IP gives you a whois result, traceroute, and a list of the other tickets containing that IP. When an Incident is in context, RTIR creates links for email address that let you launch an investigation to the named party, linked to the incident.

Scripted action

RTIR offers a Web interface to automate the tasks you do for multiple IPs or email addresses. Why repeat each action by hand when RTIR can do the legwork for you?

You can create templates to serve your needs, and you can pass arguments into templates for greater configuration.

  • Give RTIR a list of email addresses, and the Scripted Action feature will create one Incident per address, create a linked Investigation for each ticket with the address as the correspondent, and send a message to each correspondent based on a template.
  • Give RTIR a list of IP addresses and a WHOIS server that can return appropriate email addresses, and it can look up the addresses and then do all of the above actions. (If the address cannot be determined from the IPs, RTIR creates an unlinked Incident Report with the information, so that a team member can process it by hand.)
  • If you have multiple infected machines, RTIR can look up the contact for each, launch a new Investigation, and link the Investigation to a newly created Incident.

© 2002-2007 Best Practical Solutions LLC.