Incident Response Escalation Guidance

Frequently Asked Questions

Q: I think Iíve been compromised, and it may be a vulnerability. What do I do?

A: Research existing vulnerabilities on the Cisco Security Advisory page, along with collecting relevant informationócode version, platform, etc.óto see if itís a known vulnerability.

Q: I think Iíve been compromised, and Iím not sure if it was a vulnerability or not. What do I do?

A: Use the forensic guides listed on this page, collect pertinent device outputs, and open a Service Request with Cisco TAC. Consider engaging Talos Incident Response whenever there is an active cyber incident. Refer to the Cisco Security Advisory page for the latest vulnerability information.

Q: When is it appropriate to contact Ciscoís Product Security Incident Response Team (PSIRT)?

A: Contact Cisco PSIRT when there is a belief that a product compromise related to a known PSIRT security advisory has happened or there is a suspicion of a new zero-day vulnerability in a Cisco product.

Q: Our organization is recovering from a cyber incident related to Cisco devices. What resources are available?

A: Refer to the appropriate Cisco hardening guides listed on this page for device hardware and software best practices.

Q: How can our organization better prepare for an incident response activity?

A: See Ciscoís What Is an Incident Response Plan for IT? Additionally, there are many freely available resources on the web, such as the SANS Instituteís Incident Handler's Handbook.


Forensic Guides

These documents are meant to be a resource for first-level incident responders who may suspect that a Cisco platform has been tampered with or compromised. They will assist a first responder in triaging the incident and ensuring that all information pertinent to a potential device compromise is collected.

Cisco ASA Forensic Investigation Procedures for First Responders

Cisco Firepower 2100 Series Forensic Investigation Procedures for First Responders

Cisco Firepower Threat Defense Forensic Investigation Procedures for First Responders

Cisco IOS Software Forensic Investigation Procedures for First Responders

Cisco IOS XE Software Forensic Investigation Procedures for First Responders

Cisco IOS XR Software Forensic Investigation Procedures for First Responders


Hardening Guides

These documents contain information that will help users secure Cisco operating systems and devices to increase the overall security of a network.

Cisco TelePresence Hardening Guide

Cisco UCS Hardening Guide

Cisco Guide to Securing Cisco NX-OS Software Devices

Cisco Guide to Harden Cisco IOS XR Devices

Cisco Guide to Harden Cisco IOS Devices


Technical Assistance Center (TAC)

Cisco TAC: https://www.cisco.com/c/en/us/support/index.html

Enterprise and Service Provider Products: 800-553-2447 US/Canada

Small Business Products : 866-606-1866 US/Canada

Cisco TAC Tools & Resources: https://www.cisco.com/c/en/us/support/web/tools-catalog.html


Cisco Services

See the Responding to a Security Incident section of this link for additional incident response resources not listed elsewhere on this page.

Cisco Security Services: https://www.cisco.com/c/en/us/products/security/service-listing.html

Talos Incident Response: https://talosintelligence.com/IR


Blog Links

Cisco Security Blog