There was recently an outage on your wireless network for many different endpoints. After doing some initial inspections, you realize that this was more than an unintentional outage. You find out from some records that one of your former colleagues set up a wireless network monitoring device which captures wireless communications and keeps them for a month. Additionally, you interview a current employee to ask what they experienced during the outage, and this is what they said "My Wi-Fi went down, but I could reconnect to the Wi-Fi again, but it said it was an open network. I was prompted on my browser to enter the password, and that the reason was there was a firmware update, and then I lost connection again. After this I was able to reconnect to the network again, but this time my browser did nothing, and it was back to normal."

What the employee said interested you, so you take notes on what they spoke into the incident report. Additionally, you pull the employees browser history and see that they did indeed connect to a page for authentication. As well you get together the information for their machines wireless network interface, and the access points wireless network interface. Which is as follows:

Access Point Information

Network Interface Description	Some generic Cisco one (Probably Realtek)
Physical Address (MAC) (aka BSSID)	60-38-e0-71-e9-db
SSID (aka ESSID)	Wifiisgoodforbuziness
Operating Frequency	5 GHz (2.4 GHz disabled)

 

Employee's Wireless Card Information

Network Interface Description	Realtek RTL8822BE 802.11ac PCIe Adapter
Physical Address (MAC)	74-40-BB-75-F2-E9
Operating Frequency	2.4 GHz and 5 GHz

After you gather this information, you go into the wireless network monitoring device's storage and rebuild the following communications.

Frame Number	Source Address	Destination Address	802.11 Frame Type
1	74-40-BB-75-F2-E9	60-38-e0-71-e9-db	Data
2	60-38-e0-71-e9-db	74-40-BB-75-F2-E9	Data
3	60-38-e0-71-e9-db	74-40-BB-75-F2-E9	Deauthentication
4	60-38-e0-71-e9-db	74-40-BB-75-F2-E9	Deauthentication
5	60-38-e0-71-e9-db	74-40-BB-75-F2-E9	Deauthentication
6	60-38-e0-71-e9-db	74-40-BB-75-F2-E9	Deauthentication
7	60-38-e0-71-e9-db	74-40-BB-75-F2-E9	Deauthentication
8	60-38-e0-71-e9-db	74-40-BB-75-F2-E9	Deauthentication
9	74-40-BB-75-F2-E9	60-38-e0-71-e9-db	Probe Request
10	60-38-e0-71-e9-db	74-40-BB-75-F2-E9	Probe Response
11	74-40-BB-75-F2-E9	60-38-e0-71-e9-db	Association Request
12	60-38-e0-71-e9-db	74-40-BB-75-F2-E9	Association Response
13	60-38-e0-71-e9-db	74-40-BB-75-F2-E9	Authentication
14	60-38-e0-71-e9-db	74-40-BB-75-F2-E9	Dissociation

 

Additionally, from your radio frequency analysis, you find that these transmissions were coming from two different frequencies in two separate locations, that is 2.4GHz and 5.0GHz which is odd. You begin to put together some assumptions as to what incident has transpired so that you can decide as to what you should do next. 

 

What threat has occurred? (i.e., what type specifically)