Q: I think Iíve been compromised, and it may be a vulnerability. What do I do?
A: Research existing vulnerabilities on the Cisco Security Advisory page, along with collecting relevant informationócode version, platform, etc.óto see if itís a known vulnerability.
Q: I think Iíve been compromised, and Iím not sure if it was a vulnerability or not. What do I do?
A: Use the forensic guides listed on this page, collect pertinent device outputs, and open a Service Request with Cisco TAC. Consider engaging Talos Incident Response whenever there is an active cyber incident. Refer to the Cisco Security Advisory page for the latest vulnerability information.
Q: When is it appropriate to contact Ciscoís Product Security Incident Response Team (PSIRT)?
A: Contact Cisco PSIRT when there is a belief that a product compromise related to a known PSIRT security advisory has happened or there is a suspicion of a new zero-day vulnerability in a Cisco product.
Q: Our organization is recovering from a cyber incident related to Cisco devices. What resources are available?
A: Refer to the appropriate Cisco hardening guides listed on this page for device hardware and software best practices.
Q: How can our organization better prepare for an incident response activity?
These documents are meant to be a resource for first-level incident responders who may suspect that a Cisco platform has been tampered with or compromised. They will assist a first responder in triaging the incident and ensuring that all information pertinent to a potential device compromise is collected.