X hits on this document

116 views

0 shares

0 downloads

0 comments

15 / 47

Orion Incident Response Live CD

take some time to get used to it. As shown in the diagram, new information about a potential incident is entered first as an Incident Report. Once the report has been verified, an Incident is created. This incident can then lead to one or more Investigations as well as Blocks. A Block is an activity that attempts to stop or retard the attacker activity. Blocks are essentially containment steps. The investigations could be analysis work, interviews, forensic acquisitions, or any other activity that leads to the understanding and resolution of the incident. A visual depiction of the relationship between these entities is seen in Figure 8: RTIR Workflow.

Figure 8: RTIR Workflow

6.3.1. Using RTIR

The incident responder can use the RTIR web based interface (http://127.0.0.1/) to login and perform a variety of actions, such as accepting, annotating, rejecting, and closing incidents.

John Jarocki, john.jarocki@gmail.com

1

Document info
Document views116
Page views117
Page last viewedSat Dec 03 05:17:44 UTC 2016
Pages47
Paragraphs864
Words8806

Comments