Avatar

Cisco is pleased to announce two new document additions to the Firepower Forensic Investigation Procedures for First Responders. These document guides help customers and partners triage Cisco products that are suspected of being compromised. These document guides provide step-by-step instructions for first responders that can be used to assess platform integrity and collect information.

These new document guides are available on the Cisco.com Security Portal under Tactical Resources, Responding to a Security Incident. Below is a summary of the released document guides, along with a brief description of each one.

Assessing the Integrity of Cisco Firepower Management Center

This document guide provides guidance for assessing the integrity of system files leveraging several FIPS mode scripts. FIPS mode to be enabled is not required. (FIPS mode cannot be turned off once enabled. To take an appliance out of FIPS mode, it must be reimaged.) Over 26,000 files can be assessed utilizing SHA-256 hash values in just a few minutes. The document guide also contains a procedure to collect several files and process shared memory maps that can be used for further forensic analysis if any system files fail the integrity check.

Cisco Firepower 4100/9300 Series Forensic Investigation Procedures for First Responders

This document provides steps for collecting forensic information from the Cisco Firepower 4100 and 9300 series of appliances running Firepower Threat Defense (FTD) Software when compromise or tampering is suspected.

This document guide contains procedures for collecting platform configuration and run time state, verifying the integrity of Cisco FTD Software, verifying the digital signing characteristics of Cisco FXOS Software, and enumerating the processes running on chassis mezzanine adapter cards.

Procedures are also included that will assist incident responders in collecting memory .text segments, crashinfo files, core files, and checking ROM monitor boot settings that can be used for further forensic analysis if warranted.

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn



Authors

Dan Maunz

Incident Manager

Applied Security Intelligence