The most trusted source for computer security training, certification and research.

Intrusion Detection FAQ: If I suspect a system is compromised what should I do?

More than 90 experienced incident handlers agreed on the following steps:
  • Remain calm; don't hurry.
  • Notify your organization's management.
  • Provide a game plan (with options if possible).
  • Apply need-to-know.
  • Use out-of-band communications; avoid email and other network-based communications channels.
  • Take good notes, good enough to serve as evidence in a court of law.
  • Contain the problem; pull the network cable.
  • Back up the system(s), and collect evidence.
  • Eradicate the problem and get back in business.
  • Lessons learned, apply what you have learned.


Very intense. I have never been to a conference where we received so much information and so much more to learn post-conference.
-Paul Abels, UPS

MGT512 - Skyscraper

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT