Appendix C. Incident Response

Your router has been hacked. Now what? This chapter covers the basics of emergency response when dealing with a router compromise. Ideally, you should have an incident response plan that is tailored to your organization. If you are reading this chapter because you have just been hacked and don’t know what to do, first promise that as soon as this incident is over, you will develop a complete incident response plan. Then keep reading for help on responding to incidents involving router compromises.

The goals of incident response are to:

  • Determine if the incident is an attack or an accident

  • Discover what happened and the scope of the incident

  • Preserve all the evidence

  • Recover from the incident

  • Take the steps necessary to prevent this incident from happening again


If you do not have a detailed incident response plan in place and you have been hacked, it is best to do nothing yourself and to call law enforcement. They are trained to preserve the evidence and investigate the incident and can track down attackers through means you don’t have access to. Therefore, the first recommendation is to do nothing and call law enforcement.

However, many attacks may look like accidental outages (and vice versa). The following information is provided for those who are still trying to determine if an incident is due to a hacker or an accident or for those who must get the compromised router operational as soon as possible. So please read this entire chapter—especially ...

Get Hardening Cisco Routers now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.