Skip to content

5.14-Conduct AAR

Conduct After Action Review to support redeployment efforts Task

Conditions

Given an IR Team deployed supporting a designated MP in Cyber Incident Recovery.

Standards

Upon moving into the redeployment Phase, the IR Team should develop an AAR containing the following elements:

  • List of Participants
  • Review key actions/event that occurred during mission
  • Analysis of Lessons Learned
  • Remediation plans to prevent this from occurring in the future
  • Discussion of final indicators of compromise to share for detection of potential incidents across the community
  • Staff performance review
  • Corrective actions review
  • Tool utilization review
  • Process gaps review
  • Documentation gaps review
  • Training review
    This list is not exhaustive. If the IR Team produces it during mission, it should be considered an artifact and turned over to the supported MP.

End State

The IR Team completes a full after action review with MP. The MP contains knowledge from knowing lessons learned, ways to prevent future incidents, and how to detect an actionable incident.

Manual Steps

Running Script

Dependencies

Other available tools

References

NIST Cyber Security Framework
NIST SP 800*61: Computer Security Incident Handling Guide

Revision History