Automating Metrics using RTIR REST API
Metrics are an important part of incident response. You should know your average time to detect compromised systems and how successful phishing campaigns are against your users. To start successful metrics, you need to choose a taxonomy to use. In this example, we will be using the VERIS(1) taxonomy. It is well documented and allows you to compare yourself to the DBIR report.
One of the problems with metrics is the amount of time it takes to enter data and correlate it. While it may take less than 5 minutes to determine how many people responded to a phish, it may take up to 20 minutes to create the tickets in your tracking system. To greatly increase your efficiency and accuracy, scripting should be used.
RTIR(2) is an open source ticketing system for incident response based on Request Tracker. This system can be built based on the VERIS taxonomy by creating custom fields that match the categories. This system supports using a REST API(3) to automate the creation of tickets.
We need to create the following custom fields for our use case. Some of these will have static values and others will need to enter as a command line argument.
hacking.discovery_method, hacking.targeted, impact.security_incident, social.variety, social.vector,social.target, confidentiality.data.variety, misuse.variety
Additionally, we want to track other stats that aren't used in VERIS, but are very useful for tracking campaigns.
victim-username,ioc.attacker.ip, ioc.attacker.domain
Now that we have the basic breakdown of what fields we want to enter data in, we need to script it (4). You need to make sure you put in your credentials to the script along with the IP/DNS name of your server. The two main parts that you can adjust to fit any incident type are the arguments and the post_data. The ticket will be created and closed when the script is complete.
To run this script as posted, do the following:
>rt-phishing.py --username bob --ip 127.0.0.1 --domain malware.bad --creator twebb --time 5
While metrics are important, they shouldn’t be demanding to create. Anything that your SOC does that doesn’t require lots of documentation should be easily scripted.
1.http://veriscommunity.net/enums.html#section-incident_desc
2.https://www.bestpractical.com/rtir/
3.http://requesttracker.wikia.com/wiki/REST
4.https://github.com/tcw3bb/ISC_Posts/blob/master/RTIR-phish-template.py
--
Tom Webb
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago