Cisco releases guides for incident responders handling hacked Cisco gear [zdnet]

Cisco published last week four guides designed to help incident responders in investigating Cisco gear they suspect has been hacked or otherwise compromised.

The guides include step-by-step tutorials on how to extract forensic information from the hacked gear while keeping the data integrity’s intact.

Four guides have been made available, for four of Cisco’s major software platforms:

• Cisco ASA (Adaptive Security Appliance) — software running on security devices that combine firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities.
• Cisco IOS (Internetwork Operating System) — a proprietary OS running on most Cisco switches and routers.
• Cisco IOS XE — a Linux-based OS running on Cisco switches and routers.
• Cisco FTD (Firepower Threat Defense) — software combining Cisco’s ASA and Firepower technology. Deployed on Cisco’s firewall hardware.

All guides contain about the same information, namely procedures for collecting platform configuration and runtime state, examining system image hashes for inconsistencies, verifying proper signing characteristics of FTD system and running images, retrieving and verifying the memory text segment, generating and retrieving both crash info and core files, and examining the ROM monitor settings for remote system image loading.

Cisco released the guides on the company’s Tactical Resources portal. Previously, the portal only included guides for checking the firmware/OS integrity of various Cisco gear.

The only major software line for which Cisco did not release an incident response guide is Cisco IOS XR, the software that runs on carrier-grade routers.

For more, click here.