If a rogue appears to be malicious, carefully review its traffic history to identify all system and data that may have been compromised. To facilitate this, put any suspicious device on a "watch list" to record traffic in greater detail during investigation. To learn an attacker's identity, some organizations even create "honeypots"