IncidentResponsev2

Continuous AARs Task

Conditions

• IR Team deployed in support of Guardnet or State IT systems

Standards

Develop After Action Reviews (AARs) covering:

• List of Participants
• Review of key actions and events
• Lessons Learned analysis
• Remediation plans
• Indicators of Compromise (IOC) sharing
• Staff performance review
• Corrective actions
• Tool utilization review

Procedural Steps (Checklist)

List of Participants

• Document all IR team members and key stakeholders.
• Include mission partner contacts.

Review Key Actions/Events

• Capture timeline of major actions.
• Note decisions and outcomes.
• Use mission log as reference.

Analyze Lessons Learned

• Identify what went well.
• Highlight what didn’t work and why.
• Document suggested improvements.

Develop Remediation Plans

• Assign action items to responsible parties.
• Set target dates for completion.
• Track and verify completion post-incident.

Share Indicators of Compromise (IOCs)

• Extract IOCs from forensic data.
• Format for sharing (STIX, plain text).
• Provide to mission partner and ISAC.

Example IOC Sharing Format:

IOC Type: IP Address
Value: 203.0.113.45
Observed: 2025-05-01
Description: C2 Server

Review Staff Performance

• Collect team feedback.
• Note outstanding contributions or gaps.
• Recommend training or recognition.

Review Corrective Actions and Tool Utilization

• Document tool performance and issues.
• Recommend upgrades or replacements.
• Adjust playbooks based on tool success/failures.

References

• NIST Cyber Security Framework
• NIST SP 800-61r2

Revision History

Date	Version	Description	Author
2025-05-02	1.0	Fully expanded checklist and IOC sharing process	Leo