How Should One Respond to a Network Break In?

Jety asks: "I am the sole IT support for a medium sized residential real estate office. It has a network of one main server, 10 office workstations, and another 40 or so agent's personal computers. I discovered via logs that recently someone made about 50 remote login attempts to the server, guessing at passwords, but it would appear that they were not able to gain access. They did, however, leave an IP address in the logs. It turns out to be an Exchange server for another business in the same city. What is an appropriate response to this sort of failed break-in attempt? How seriously should one react? How should it be presented to management, and should you encourage them to over or under react? Should the other business, whose server was used to launch the attack, be informed? Should you try to surveil them first to learn about who is doing their tech work? With what tone should they be approached and/or accused? What would a suitable response from that company entail?"

Simple

[rylin]

You try contacting abuse@ the other company.
If that fails, you call them up and ask for their tech-lead.

You already have your logfiles, and reasonably secured server.
What you can gain here is a partnership - or at least an exchange of favors every now and then - between your company and the remote one.

That said, if the other company isn't responsive, you firewall them to hell and get on with your daily work.

You'll want to give management a brief notice about what's happening before you do this, obviously.
After you've talked to abuse@, you tell management what happened.

Now is the time to see over your authentication schemes. Are your users logging in over SSH? With passwords instead of keys? (Hint: keys are nicer).

After this is said and done, you paypal me $90 for doing your job.
Cheers!