Orion Incident Response Live CD 2
There are many frameworks for incident handling, including the Security Incident Handling Guide from the National Institute of Standards and Technology (NIST) (Scarefone, Grance, & Masone, 2008), (Mandia, Prosise, & Pepe, 2003), and the SANS six-step handling process (Skoudis, 2009). Carnegie-Mellon’s Software Engineering Institute even provided a study of these and more along with a framework for creating an incident management process tuned for a specific organization (Albert, Dorofee, Killcrece, & Zajicek, 2004). Tools for incident handling and response also exist, but responder tool kits are often built by collecting important tools one at a time until the expert incident handler has a custom set. This makes it difficult to bring in less- experienced incident response team members, and it creates challenges for collaboration during the incident as well as consistent collection and storage of evidence. Some Incident Response environments do exist, but they primarily focus on the analysis process, and do not provide a communication and collaboration framework. Nor do they usually provide a workflow based environment.
In a small incident, experienced handlers will compensate for challenges in communication and collaboration. However, part-time team members or individuals who are new to the incident handling process will find it extremely difficult to operate in a restrictive, need-to-know environment where communication is limited to only trusted channels and where consistent collection and storage of information is critical to the success of the process. Even full-time, experienced responders will find Orion useful for helping to keep efforts focused and consistent as the incident drags on into the wee hours of the night.
The Orion Incident Response system was created to provide a trusted incident response platform that provides secure communication channels and collaboration tools in a consistent environment that can be used by all team members.