Unauthorized Access: Examining Log Files to Identify the Attack
Question
A security engineer is reviewing log files after a third party discovered usernames and passwords for the organization's accounts.
The engineer sees there was a change in the IP address for a vendor website one week earlier.
This change lasted eight hours.
Which of the following attacks was MOST likely used?
A.
Man-in-the-middle B.
Spear phishing C.
Evil twin D.
DNS poisoning.
D.
Explanations
A security engineer is reviewing log files after a third party discovered usernames and passwords for the organization's accounts.
The engineer sees there was a change in the IP address for a vendor website one week earlier.
This change lasted eight hours.
Which of the following attacks was MOST likely used?
A.
Man-in-the-middle
B.
Spear phishing
C.
Evil twin
D.
DNS poisoning.
D.
Based on the scenario provided, the security engineer is reviewing log files after a third party discovered usernames and passwords for the organization's accounts. This implies that an unauthorized entity may have obtained access to the organization's network, possibly through a form of attack. The security engineer noticed a change in the IP address for a vendor website that occurred a week earlier and lasted eight hours.
The change in the IP address for the vendor website is a red flag. It is a clear indication that something is amiss since vendor websites usually have static IP addresses that do not change often. It suggests that the organization's DNS server may have been compromised or that an attacker may have carried out a DNS poisoning attack to redirect traffic to a different IP address.
DNS poisoning, also known as DNS spoofing, is an attack in which an attacker modifies the DNS records of a domain name to point to a different IP address. The attacker can then redirect traffic meant for the original website to a malicious website that they control. The attacker can then use the malicious website to steal sensitive information such as usernames and passwords or carry out other attacks.
Based on the information provided, the attack that was most likely used is DNS poisoning. This is because there was a change in the IP address for a vendor website that lasted for eight hours. DNS poisoning can also be used to carry out man-in-the-middle attacks, but the scenario does not provide enough information to conclude that this was the case. Spear phishing and evil twin attacks do not involve changing the IP address of a website, making them less likely in this scenario.
