Skip to content

1.09-Continuous AAR

Continuous AARs Task

Conditions

  • Given a mission to deploy a IR Team in support of Guardnet, State IT systems, or other organization as directed by the Governor
  • Response effort if localized and a Type I / II Federal Disaster Response has not been declared

Standards

Throughout operations, the IR Team should develop AAR containing the following elements:

  • List of Participants
  • Review key actions/event that occurred during mission
  • Analysis of Lessons Learned
  • Remediation plans to prevent this from occurring in the future
  • Discussion of final indicators of compromise to share for detection of potential incidents across the community
  • Staff performance review
  • Corrective actions review
  • Tool utilization review
    This list is not exhaustive. If the IR Team produces it during mission, it should be considered an artifact and turned over to the supported MP.

End State

The IR Team completes continuous AARs. As appropriate, the IR Team engages the mission partner in lessons learned, ways to prevent future incidents, and how to detect an actionable incident.

Notes

This continuous AAR process will improve the Recovery Process and support lessons learned for current and future missions.

Manual Steps

Running Script

Dependencies

Other available tools

References

NIST Cyber Security Framework
NIST SP 800-61r2: Computer Security Incident Handling Guide

Revision History