Nisco Food and Beverage reported that four of their servers had been compromised by an internal individual. However each of the servers seems to be compromised by a different IP address. This company is running a DHCP server.
How would you be able to determine how many users initiated this attack?
Jun 20 07:05:15 dhcp1 dhcpd: DHCPACK on 66.121.9.155 to 00:0d:56:1a:6a:05 (GMMHF41) via xl1
Jun 20 08:14:12 dhcp1 dhcpd: DHCPACK on 66.122.2.103 to 00:0d:56:1a:6a:05 (GMMHF41) via xl1
Jun 20 09:12:16 dhcp1 dhcpd: DHCPACK on 66.101.3.104 to 00:0d:56:1a:6a:05 (GMMHF41) via xl1
***********************************
By searching through the logs for a specific MAC address, you can determine when individual IP addresses are being issued.
If this attacker in question was randomly walking around the company initiating attacks, this search would tell you that the same NIC card was utilized with all three target IP’s.