Cisco releases guides for incident responders handling hacked Cisco gear [zdnet]

Cisco published last week four guides designed to help incident responders in investigating Cisco gear they suspect has been hacked or otherwise compromised.

The guides include step-by-step tutorials on how to extract forensic information from the hacked gear while keeping the data integrity’s intact.

Four guides have been made available, for four of Cisco’s major software platforms:

All guides contain about the same information, namely procedures for collecting platform configuration and runtime state, examining system image hashes for inconsistencies, verifying proper signing characteristics of FTD system and running images, retrieving and verifying the memory text segment, generating and retrieving both crash info and core files, and examining the ROM monitor settings for remote system image loading.

Cisco released the guides on the company’s Tactical Resources portal. Previously, the portal only included guides for checking the firmware/OS integrity of various Cisco gear.

The only major software line for which Cisco did not release an incident response guide is Cisco IOS XR, the software that runs on carrier-grade routers.

For more, click here.