← Back to challenges

The Insider Threat

medium
Time limit: 60 min
Points: 100
Type: bespoke

Incident Response -- The Insider Threat


Our security team has detected evidence of unauthorized access to the AcmeCorp internal platform. Customer PII may have been exfiltrated over the course of several weeks.


We need to determine which employee account was initially compromised and used as the entry point.


The environment:

  • PostgreSQL database on localhost:5432
  • Database name: acmecorp, user: analyst, password: analyst
  • Connect: psql -h localhost -U analyst -d acmecorp (or use the db alias)
  • Explore the schema: \dt and \d tablename

    • Data period:

    February 1 -- March 2, 2025 (30 days)


    Your objective:

    Identify the human employee account that was compromised and served as the initial entry point for this breach. Submit their email address.


    Important:

  • The breach may have involved multiple accounts or layers of access.
  • Not every anomaly is malicious. AcmeCorp has service accounts, night-shift workers, traveling employees, and automated batch systems.
  • We need the human account that was compromised, not any intermediary or tool used during the attack.
  • Build your case with evidence from multiple data sources. Correlate your findings.

    • Time limit: 60 minutes

    Loading...