Intrusion Detection FAQ: If I suspect a system is compromised what should I do?

More than 90 experienced incident handlers agreed on the following steps:
  • Remain calm; don't hurry.
  • Notify your organization's management.
  • Provide a game plan (with options if possible).
  • Apply need-to-know.
  • Use out-of-band communications; avoid email and other network-based communications channels.
  • Take good notes, good enough to serve as evidence in a court of law.
  • Contain the problem; pull the network cable.
  • Back up the system(s), and collect evidence.
  • Eradicate the problem and get back in business.
  • Lessons learned, apply what you have learned.


I think this course changed my life.
-James Welcher, LBNL

SANSFIRE 2013 - Washington

Latest Whitepapers

Event Monitoring and Incident Response
By Ryan Boyle

Dead Linux Machines Do Tell Tales
By James Fung

Setting Up a Database Security Logging and Monitoring Program
By Jim Horwath

Latest Tweets

DFIR Webcast starts in 75 minutes - 50 Shades of Hidden - Di [...]
May 17, 2013 - 3:46 PM

New blog post by @yorikv on pen test tips for file analysis. [...]
May 16, 2013 - 5:07 PM

New Blog Post: SANS EU #DFIR Summit in Prague - Call for Spe [...]
May 16, 2013 - 12:33 AM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage