How to Use an After-Action Report – Including Template

An After-Action Report (AAR) is a detailed analysis performed following a cyber security incident that provides insights into how the event was handled. After-action reports can also follow a cybersecurity exercise, either to test an Incident Response Plans (IRP) or to provide a baseline on which to create one.

Click here to see a template of an After-Action Report.

Main Components of an After Action Report

An after-action report has five main components: an introduction, scope, objectives, scenario, and findings & recommendations.

Introduction

The introduction should convey a general overview of the exercise that was conducted, including the duration of the exercise and the date it was completed. This section should also detail the specific plan or policy that was being tested with the exercise and a list of the participating departments and individuals.

Scope

The purpose of this section is to define the scale in which the cybersecurity exercise operated at and the level in which the organization’s incident response is being tested. The scope can vary depending on the aim of the exercise. Many organizations will conduct multiple exercises a year aimed at a testing different levels of participants. For example, the scope might include IT participants only, leadership only, whole organization, or even interagency responses.

Objectives

The objective section of the AAR should list the specific pieces of the IRP the exercise is aiming to test. In most cases, table-top cybersecurity exercises or war room exercises are testing a specific catastrophic scenario, to which technical staff and leadership across the organization might have to respond. For example, one objective might be “to test the IT Operations team’s ability to recover systems within an acceptable threshold of downtime and data loss”.

The acceptable threshold of downtime and data loss will vary from industry to industry. In some industries, such as healthcare applications, the acceptable downtime may be within an hour with zero data loss, whereas for others it may be half a day. The threshold should be defined by the organization’s leadership prior to the exercise and tested during it.

Scenario

In this section of the report, the scenario given for the exercise should be explained fully, including the timeline of the exercise. This section should include the date, location, and breakdown of activities that occurred for the duration of the exercise. A detailed scenario should target the aspect of the business that aligns with the objectives of the exercise.

Findings & Recommendations

Findings and recommendations should be put together from several sources, as outlined at the beginning of this section. Those sources could include technical participants in the exercise, administrative participants in the exercise, observers of the exercise, or moderators of the exercise. Having different perspectives on the events as they unfolded in the exercise will provide the most comprehensive look into the organization’s performance.

The format of the final two sections in an after-action report should follow an ABAB configuration. Initially, the General Findings should be shared. These ‘General Findings’ should include things such as ‘team X did a great job identifying Y’, ‘system X was instrumental in providing real-time data’, or ‘the use of tool X proved to be valuable’. The General Findings area should be used to describe who was surveyed following the exercise and how their perspectives were gathered.

Following the General Findings should be Specific Findings, with Recommendations after each finding to improve the organization’s response to those specific issues if faced again. For example:

Specific Finding: Production SQL server ABC at site 1 is keeping all backups on a fileserver XYZ  also at site 1 which was found to be a vulnerability if site 1 is attacked.

Recommendation: Keep incremental backups on fileserver XYZ but move a daily backup to another server at site 2.

Conducting a Cyber Security Tabletop Exercise

As mentioned, after-action reports follow exercises that test or help design an organization’s incident response plan. To conduct a tabletop exercise at your organization there are many resources available that provide customizable scenarios, worksheets, and discussion questions. One free solution is the CISA Tabletop Exercise Packages (CTEPs) available at CISA’s official website. These resources, and others like it, help to design an exercise that will fit the industry and size of most organizations.

After finding a tabletop exercise that fits the goals of your organization, it is important to shape the objectives of the exercise to fit the needs of the IRP that is being tested. Most industries have a unique set of needs and priorities, employing industry-specific tools to get the job done. Make sure that your IRP, exercise, and AAR all reflect the unique challenges that are presented to both your industry and your organization.

Developing an Incident Response Plan (IRP)

If your organization does not already have an incident response plan, its time to make one. These plans help prepare technical, non-technical, and leadership within the organization to follow a procedure during an IT crisis rather than go with gut instinct. Incident response plans should include immediate procedures for business continuity allowing for core systems to be brought back online as soon as possible, as well as less immediate procedures that will help return to normal business operation. Both aspects are important for contingency planning, and along with key contacts and systems in use, constitute an incident response plan.

Making Use of an After Action Report

Incident Response Plans, tabletop exercises, and After Action Reports all work together to ensure business continuity and preparedness in the face of an IT catastrophe. If there is already an IRP in place at your organization but it hasn’t been tested recently or at all, it’s a good time to perform an exercise and generate an AAR – click here for a free template. You may find that your IRP is inadequate for the staff or technology in use currently and needs updating.

For more on the differences between business continuity and disaster recovery see Business Continuity vs Disaster Recovery: Know the Difference.

References

Cybersecurity & Infrastructure Security Agency. (n.d.). CISA Tabletop Exercise Packages. Retrieved from Cybersecurity & Infrastructure Security Agency: https://www.cisa.gov/cisa-tabletop-exercise-packages

Grance, T., Nolan, T., Burke, K., Dudley, R., White, G., & Good, T. (2006, September). Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities: Recommendations of the National Institute of Standards and Technology. Retrieved from National Institute of Standards and Technology: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf

National Institute of Standards and Technology. (2022). Computer Science Resource Center: After Action Report. Retrieved from National Institute of Standards and Technology: https://csrc.nist.gov/glossary/term/After_Action_Report

About the Author

Find Michael on LinkedIn

Michael A. Flowers Sr.

Michael A. Flowers Sr. is a Systems Engineer with 10+ years of experience administering and securing enterprise networks. He has extensive experience with Infosec systems across multiple professional industries including hospitality, entertainment, international affairs, transportation, and healthcare.

Leave a Comment