‘Twas the Night Before the Pen Test  

‘Twas the Night Before the Pen Test

December 24, 2020

We’re taking a break from our regularly-scheduled programming for some light-hearted holiday fun dedicated to all the Blue Teams out there…enjoy. 

’Twas the Night Before the Pen Test   

’Twas the night before the pen test and all through the SOC
The analysts all wondering if the Red Team will knock
The playbooks were ready, prepared with such care
Knowing our enemy soon would be there. 

Analysts pushed out new detections to prod,
Risk trends and smart timelines helped outsmart the odds.
The Red Team was certain their tools would find gaps,
But SecOps ensured the defense overlaps.  

The last test was messy, our defense it did shatter
Our team looked confused with no clue, “What’s the matter?!”
We lacked engineers, we did not check the hash,
We think they got in from a poisoned web cache.   

This time our memory shall not overgrow,
Our code is now hardened from buffer overflow.
At last our Board will see us persevere
We’ll make our alerts and all threats disappear.    

All the right tools made us nimble and quick
Our posture is better we’re ready for clicks.
No pointing of fingers, no one will see blame,
We’ve locked it all down to the last old mainframe.   

Now firewalls, now NAC, now SIEM and CASB
On WAF, on IPS, on UEBA and AV.
A blip on our perimeter: the attack started small.
Now protect and defend, the hack it must fall.   

An ARP spoof attack on the corporate Wi-Fi.
The analyst caught it, they did not retry.
Her next step was to look through the logs for a clue
Did someone gain access, elevate, or sudo?   

Another reviewed emails, looking for spoofs,
The smart timeline would show the true burden of proof.
AV was updated and in the background,
Nonessential servers had been all but shut down  

Still watching and monitoring both out and throughput,
As good guys we knew something strange was afoot.
Our servers all logging the syn, syn-ack, ack
We dared them to try: Go ahead and attack.    

This pen test was different and not quite as scary,
Though still we watched for the last-ditch Hail Mary.
With each failed attempt our advantage did grow.
We smiled with conviction. We detected each blow.   

The attack was persistent, we gritted our teeth.
Will our defenses stand strong? We could not dare breathe.
The risk score revealed random logs from New Delhi.
“It’s getting real now,” the CISO said on the telly. 

The SOC works as a team, there’s no “team” in “myself”.
Preparation was over, SANS books back on the shelf.
One final payload brought the night to a head
I started to doubt and was filled with such dread.   

Twelve failed logins from a revenue clerk!
“It’s always accounting that make things berserk.”
This Red Team is good and they code like the pros,
One click on the link our poor user was hosed.   

But wait! Multi-factor decline caused dismissal,
Intercepting their tactics made analysts feel blissful.
They didn’t get anything not one single byte.
Happy pen test to all and from the Blue Team, “Goodnight.” 

Recent Security Operations Center Articles
US, Australia Security Teams are Behind the Times in Gender Pay Equality

The Exabeam 2020 Cybersecurity Professionals Salary Skills a...

CISO Liability and Lawsuits in the Face of a Crisis, Part 2

Simple steps any current or aspiring CISO should take prior ...

CISO Liability and Lawsuits in the Face of a Crisis, Part 1

The CISO’s worst nightmare When an organization becomes th...

Escaping Dante’s SOC Inferno: Gluttony and the SOC Skills Shortage

Gluttony is having a profound effect on our ability to do ou...

Escaping Dante’s SOC Inferno: The Violence of Destructive Metrics

Welcome to our third post in the Dante’s SOC Inferno serie...

Recent Information Security Articles
Advanced Analytics Use Case: Detecting Compromised Credentials 

Stolen credentials have been a persistent problem, and organ...

Outcomes Above All: Helping Security Teams Outsmart the Odds

Author: Sherry Lowe, Chief Marketing Officer The world’s g...

Ethical Hacking: Why It’s Important & What Makes a Good Hacker

What Is ethical hacking? Ethical hacking is a practice where...

Understanding Cloud DLP: Key Features and Best Practices

Cloud DLP enables organizations to protect data residing in ...

How Lineas, Europe’s Largest Private Rail Freight Operator Found the Right Cybersecurity Tool

Vital infrastructure has become an area of concern for cyber...

What Is an Insider Threat? Understand the Problem and Discover 4 Defensive Strategies

Learn what an insider threat is and how they can hurt an org...