Last Day to Save $400 on SANS Security East 2015, New Orleans

Intrusion Detection FAQ: If I suspect a system is compromised what should I do?

More than 90 experienced incident handlers agreed on the following steps:
  • Remain calm; don't hurry.
  • Notify your organization's management.
  • Provide a game plan (with options if possible).
  • Apply need-to-know.
  • Use out-of-band communications; avoid email and other network-based communications channels.
  • Take good notes, good enough to serve as evidence in a court of law.
  • Contain the problem; pull the network cable.
  • Back up the system(s), and collect evidence.
  • Eradicate the problem and get back in business.
  • Lessons learned, apply what you have learned.