‘Twas the Night Before the Pen Test  

‘Twas the Night Before the Pen Test

December 24, 2020

Chris Archinal

We’re taking a break from our regularly-scheduled programming for some light-hearted holiday fun dedicated to all the Blue Teams out there…enjoy. 

’Twas the Night Before the Pen Test   

’Twas the night before the pen test and all through the SOC
The analysts all wondering if the Red Team will knock
The playbooks were ready, prepared with such care
Knowing our enemy soon would be there. 

Analysts pushed out new detections to prod,
Risk trends and smart timelines helped outsmart the odds.
The Red Team was certain their tools would find gaps,
But SecOps ensured the defense overlaps.  

The last test was messy, our defense it did shatter
Our team looked confused with no clue, “What’s the matter?!”
We lacked engineers, we did not check the hash,
We think they got in from a poisoned web cache.   

This time our memory shall not overgrow,
Our code is now hardened from buffer overflow.
At last our Board will see us persevere
We’ll make our alerts and all threats disappear.    

All the right tools made us nimble and quick
Our posture is better we’re ready for clicks.
No pointing of fingers, no one will see blame,
We’ve locked it all down to the last old mainframe.   

Now firewalls, now NAC, now SIEM and CASB
On WAF, on IPS, on UEBA and AV.
A blip on our perimeter: the attack started small.
Now protect and defend, the hack it must fall.   

An ARP spoof attack on the corporate Wi-Fi.
The analyst caught it, they did not retry.
Her next step was to look through the logs for a clue
Did someone gain access, elevate, or sudo?   

Another reviewed emails, looking for spoofs,
The smart timeline would show the true burden of proof.
AV was updated and in the background,
Nonessential servers had been all but shut down  

Still watching and monitoring both out and throughput,
As good guys we knew something strange was afoot.
Our servers all logging the syn, syn-ack, ack
We dared them to try: Go ahead and attack.    

This pen test was different and not quite as scary,
Though still we watched for the last-ditch Hail Mary.
With each failed attempt our advantage did grow.
We smiled with conviction. We detected each blow.   

The attack was persistent, we gritted our teeth.
Will our defenses stand strong? We could not dare breathe.
The risk score revealed random logs from New Delhi.
“It’s getting real now,” the CISO said on the telly. 

The SOC works as a team, there’s no “team” in “myself”.
Preparation was over, SANS books back on the shelf.
One final payload brought the night to a head
I started to doubt and was filled with such dread.   

Twelve failed logins from a revenue clerk!
“It’s always accounting that make things berserk.”
This Red Team is good and they code like the pros,
One click on the link our poor user was hosed.   

But wait! Multi-factor decline caused dismissal,
Intercepting their tactics made analysts feel blissful.
They didn’t get anything not one single byte.
Happy pen test to all and from the Blue Team, “Goodnight.” 

Recent Security Operations Center Articles

SOC Analyst: Job Description, Skills, and 5 Key Responsibilities

Read More

SOC Processes and Best Practices in a DevSecOps World

Read More

Automated SOCs — Musings from Industry Analysts (and Ex-analysts)

Read More

Demystifying the SOC, Part 5: The New SOC Maturity Model based on Outcomes

Read More

Threat Hunting: Methodologies, Tools and Tips for Success

Read More

Recent Information Security Articles

7 Detection Tips for the Log4j2 Vulnerability

Read More

New CISO? 5 Things to Achieve In Your First 90 Days

Read More

5 Security Questions to Consider this Holiday Season

Read More

Our Customers Have Spoken: Exabeam named a 2021 Gartner Peer Insights™ Customers’ Choice for SIEM

Read More

What Is XDR? Transforming Threat Detection and Response

Read More