I manage an office intranet with around 600 computers, and we've encountered a serious issue. An attacker managed to spoof an IP address and steal superuser credentials. They then accessed the system from potentially a different computer and altered a scheduled workday, making it appear as a holiday. For example, they made Monday show as a holiday when it was actually a workday. I'm really worried about how to trace this attacker since they used a different IP and user credentials. I'm the owner of the PC that was spoofed, and it seems like the DHCP server isn't showing any info according to our Network Admin. Any insights on how we can proceed to identify the attacker would be greatly appreciated. 🙁
4 Answers
You could try a more old-school approach. Imagine a room with two detectives and a bright light shining down on a line of 600 users! Question each one until someone cracks under pressure. Seriously though, the investigation will take time, so be patient and thorough.
First things first, you should reach out to your InfoSec team. They can help you investigate further. It might also be a good idea to engage your business continuity plan if you have one. Getting professionals involved can save you a lot of headaches later on.
While it’s tempting to crowdsource solutions, your IT team is the best resource for tackling this kind of issue. Don't just ask random people for advice; collaborate with those who have the access and expertise.
Consider implementing mass password changes from a secure system. Also, take everything offline temporarily and bring users back one at a time to keep a close watch. This way, you can ensure manual oversight and hopefully catch anything suspicious.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures