*Report the attack TTPs used in the last 6mo against the organization (Task ID: R2-9610)

*Develop working theories of the attack and look for correlated evidence to support or reject the working theories. (Task ID: R2-9181)

*Document the incident response activities to determine positive and negative results from actions and security controls. These should be the starting point for Lessons Learned discussions and follow-on preparation activities. (Task ID: R2-9202)

*Review known intrustion TTPs and observables to assist in profiling log events and capture event information that may relate to known signatures. (Task ID: R2-9129)

*Understand how phishing attacks can adversely impact web-based management applications. (Task ID: R2-9304)

*Verify log analysis findings through alternate means such as local log storage or affected system state/configuration (Task ID: R2-9119)

*Document process and analysis improvements. (Task ID: R2-9130)

*Define how systems were initially compromised and how the attack progressed and what observables were available for detection and response (Task ID: R2-9634)

*Develop mitigations based on incidents analyzed and recommend improvements in security capabilities or tools as appropriate (Task ID: R2-9633)

*Identify security incidents that require training or awareness for users and security staff (Task ID: R2-9632)

*Implement lessons learned from the analysis of material incidents (Task ID: R2-9635)

*Test the security staff and deployed solutions against scenarios developed from incidents with significant lessons learned (Task ID: R2-9636)

*maintain chain of custody and integrity of log files if to be used by law enforcement at a later date (Task ID: R2-9114)

*Develop a chain of custody and consider forensic images if needed as the investigation progresses (Task ID: R2-9197)