Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Automating Metrics using RTIR REST API

Published: 2015-08-29
Last Updated: 2015-08-29 02:21:40 UTC
by Tom Webb (Version: 1)
0 comment(s)

Metrics are an important part of incident response. You should know your average time to detect compromised systems and how successful phishing campaigns are against your users.  To start successful metrics, you need to choose a taxonomy to use. In this example, we will be using the VERIS(1) taxonomy. It is well documented and allows you to compare yourself to the DBIR report.

 

One of the problems with metrics is the amount of time it takes to enter data and correlate it. While it may take less than 5 minutes to determine how many people responded to a phish, it may take up to 20 minutes to create the tickets in your tracking system. To greatly increase your efficiency and accuracy, scripting should be used.

RTIR(2) is an open source ticketing system for incident response based on Request Tracker. This system can be built based on the VERIS taxonomy by creating custom fields that match the categories. This system supports using a REST API(3) to automate the creation of tickets.

 

We need to create the following custom fields for our use case. Some of these will have static values and others will need to enter as a command line argument.

hacking.discovery_method, hacking.targeted, impact.security_incident, social.variety, social.vector,social.target, confidentiality.data.variety, misuse.variety

 

Additionally, we want to track other stats that aren't used in VERIS, but are very useful for tracking campaigns.

victim-username,ioc.attacker.ip, ioc.attacker.domain

 

Now that we have the basic breakdown of what fields we want to enter data in, we need to script it (4). You need to make sure you put in your credentials to the script along with the IP/DNS name of your server. The two main parts that you can adjust to fit any incident type are the arguments and the post_data. The ticket will be created and closed when the script is complete.

 

To run this script as posted, do the following:

>rt-phishing.py --username bob --ip 127.0.0.1 --domain malware.bad --creator twebb --time 5

 

While metrics are important, they shouldn’t be demanding to create. Anything that your SOC does that doesn’t require lots of documentation should be easily scripted.


 

1.http://veriscommunity.net/enums.html#section-incident_desc

2.https://www.bestpractical.com/rtir/

3.http://requesttracker.wikia.com/wiki/REST

4.https://github.com/tcw3bb/ISC_Posts/blob/master/RTIR-phish-template.py

 

 

 

 

 

 

--

Tom Webb

Keywords: Metrics REST RTIR
0 comment(s)
Diary Archives