Q: I think I’ve been compromised, and it may be a vulnerability. What do I do?
A: Research existing vulnerabilities on the Cisco Security Advisory page, along with collecting relevant information—code version, platform, etc.—to see if it’s a known vulnerability.
Q: I think I’ve been compromised, and I’m not sure if it was a vulnerability or not. What do I do?
A: Use the forensic guides listed on this page, collect pertinent device outputs, and open a Service Request with Cisco TAC. Consider engaging Talos Incident Response whenever there is an active cyber incident. Refer to the Cisco Security Advisory page for the latest vulnerability information.
Q: When is it appropriate to contact Cisco’s Product Security Incident Response Team (PSIRT)?
A: Contact Cisco PSIRT when there is a belief that a product compromise related to a known PSIRT security advisory has happened or there is a suspicion of a new zero-day vulnerability in a Cisco product.
Q: Our organization is recovering from a cyber incident related to Cisco devices. What resources are available?
A: Refer to the appropriate Cisco hardening guides listed on this page for device hardware and software best practices.
Q: How can our organization better prepare for an incident response activity?
A: See Cisco’s What Is an Incident Response Plan for IT? Additionally, there are many freely available resources on the web, such as the SANS Institute’s Incident Handler's Handbook.
These documents are meant to be a resource for first-level incident responders who may suspect that a Cisco platform has been tampered with or compromised. They will assist a first responder in triaging the incident and ensuring that all information pertinent to a potential device compromise is collected.
Assessing the Integrity of Cisco Firepower Management Center Software
Cisco ASA Forensic Investigation Procedures for First Responders
Cisco Firepower 2100 Series Forensic Investigation Procedures for First Responders
Cisco Firepower Threat Defense Forensic Investigation Procedures for First Responders
Cisco IOS Access Point Software Forensic Investigation Procedures for First Responders
Cisco IOS Software Forensic Investigation Procedures for First Responders
Cisco IOS XE Software Forensic Investigation Procedures for First Responders
Cisco IOS XR Software Forensic Investigation Procedures for First Responders
Cisco NX-OS Software Forensic Investigation Procedures for First Responders
These documents contain information that will help users secure Cisco operating systems and devices to increase the overall security of a network.
Cisco TelePresence Hardening Guide
Cisco Guide to Securing Cisco NX-OS Software Devices
Cisco Guide to Harden Cisco IOS XR Devices
Cisco Guide to Harden Cisco IOS Devices
Cisco TAC: https://www.cisco.com/c/en/us/support/index.html
Enterprise and Service Provider Products: 800-553-2447 US/Canada
Small Business Products : 866-606-1866 US/Canada
Cisco TAC Tools & Resources: https://www.cisco.com/c/en/us/support/web/tools-catalog.html
See the Responding to a Security Incident section of this link for additional incident response resources not listed elsewhere on this page.
Cisco Security Services: https://www.cisco.com/c/en/us/products/security/service-listing.html
Talos Incident Response: https://talosintelligence.com/IR