Cisco releases guides for incident responders handling hacked Cisco gear

Forensic investigation guides available for Cisco ASA, IOS, IOS XE, and FTD gear.

cisco.png

Cisco published last week four guides designed to help incident responders in investigating Cisco gear they suspect has been hacked or otherwise compromised.

The guides include step-by-step tutorials on how to extract forensic information from the hacked gear while keeping the data integrity's intact.

Four guides have been made available, for four of Cisco's major software platforms:

All guides contain about the same information, namely procedures for collecting platform configuration and runtime state, examining system image hashes for inconsistencies, verifying proper signing characteristics of FTD system and running images, retrieving and verifying the memory text segment, generating and retrieving both crash info and core files, and examining the ROM monitor settings for remote system image loading.

Cisco released the guides on the company's Tactical Resources portal. Previously, the portal only included guides for checking the firmware/OS integrity of various Cisco gear.

The only major software line for which Cisco did not release an incident response guide is Cisco IOS XR, the software that runs on carrier-grade routers.

The security guides might come in handy for a lot of folks, especially since Cisco has recently patched a series of critical security flaws impacting IOS XE routers and its popular line of Small Business 220 Series smart switches, both considered easy to exploit and bound to come under attack.

In similar news, a week before, on August 22, Cisco's Talos security team open-sourced 4CAN, a tool for finding security flaws in on-board car computers.