X hits on this document





4 / 47

Orion Incident Response Live CD


2. Inspiration

The idea for Orion started with the realization that incident response teams face a number of challenges that are not typically addressed, except in an ad-hoc fashion:

Some incident responders are more experienced than others. Experienced members of the team often need to delegate tasks to junior members, but do not always have time in the middle of an incident to explain in detail how to perform those tasks. Incident response involves an interesting dichotomy of extremely focused analysis work and a need to maintain a constant communication between responders. This is one reason IR teams often use a “war room” with LCD projectors, whiteboards and flip charts. However, when an incident or team spans distant locations, this high-touch level of communication becomes more difficult. Due partly to a variety of factors (communication issues, working styles, and lack of shared storage), incident response teams often duplicate work or information. Ensuring team members cross-check each others’ work can also be difficult, despite the value, because the teams are often under pressure to produce results as quickly as possible. Incident workflow process, even when it already exists, is easy to forget when the team is working furiously to follow up on leads. Afterwards, this can lead to difficulty retracing steps or putting together the details of the response work. Communication and collaboration between team members is necessary, but can be a distraction when work has to be interrupted while figuring out how to share information.

These and a number of other observations made during a large scale incident led the author to the creation of Orion.

3. Orion Design Goals

Orion has a few simple design goals. These are to provide:

1. Standard incident response workflow

John Jarocki, john.jarocki@gmail.com

Document info
Document views173
Page views174
Page last viewedWed Jan 18 16:13:17 UTC 2017