Interior Page Icon

After Action Activities

Continually Improving Enterprise Resilience

the big idea

By performing After Action Activities, an organization can review the details of an incident, identify shortfalls in its security architecture, and determine where and how to enhance resilience capabilities.

Cyber Resiliency Goals & Objectives

After Action Activities support the cyber resilience Evolve goal and the Transform and Re-Architect objectives.

Design Principles

Once an organization has discovered the extent of an incident, the design principles for After Action Activities help improve the enterprise’s capability to detect, respond to, and recover from the impact of this incident by providing information on the adversary’s actions and the vulnerabilities exploited as well as recommendations and prevention strategies to improve the organizations response.

What Can Be Done Now

The following resiliency techniques can help transform business processes and redesign systems to use existing technologies more effectively:

The Right People & Policies

Creating a foundation of resiliency requires specific skills and policies, including:

Cyber Attack Lifecycle

Using the cyber resiliency techniques, Analytic Monitoring, as described above, defenders can detect and analyze the adversary’s efforts to maintain a presence in the enterprise. The adversary’s efforts to control initial victims, execute the attack plan and maintain a presence in the enterprise may be degraded or even negated by the defender’s ability to implement Adaptive Response, Coordinated Defense, and Realignment.

Synergies & Barriers

Synergies among practices exist between the techniques discussed in this document. Analytic Monitoring relies on good Coordinated Defense. Analytic Monitoring can also be improved by having diverse sensors (both in type of sensor and in what is being sensed). Likewise, adaptive Response relies on good Analytic Monitoring, while Coordinated Defense relies on both Adaptive Response and Realignment.

Barriers to adoption include:

Just Ahead

Attackers are constantly advancing their tactics to stay ahead of defenders. Organizations need to collaborate and tap into public and private channels to stay up-to-date on these new technologies and threat tactics. After action analysis is critical to this effort and can give defenders the edge they need to achieve and sustain cyber resiliency. As the adversary continues to evolve their tactics, it is important to realize the notion of “after the incident” becomes more problematic and the need to incorporate continuous evolution and resiliency enhancement becomes more critical. Thus, the traditional, static “after action report” may become more of a snapshot in time and give way to continual analysis and reporting.

See Key Concepts and Terms for definitions

Previous Activity Back to Menu