‘Twas the Night Before the Pen Test

We’re taking a break from our regularly-scheduled programming for some light-hearted holiday fun dedicated to all the Blue Teams out there…enjoy. 

’Twas the Night Before the Pen Test   

’Twas the night before the pen test and all through the SOC
The analysts all wondering if the Red Team will knock
The playbooks were ready, prepared with such care
Knowing our enemy soon would be there. 

Analysts pushed out new detections to prod,
Risk trends and smart timelines helped outsmart the odds.
The Red Team was certain their tools would find gaps,
But SecOps ensured the defense overlaps.  

The last test was messy, our defense it did shatter
Our team looked confused with no clue, “What’s the matter?!”
We lacked engineers, we did not check the hash,
We think they got in from a poisoned web cache.   

This time our memory shall not overgrow,
Our code is now hardened from buffer overflow.
At last our Board will see us persevere
We’ll make our alerts and all threats disappear.    

All the right tools made us nimble and quick
Our posture is better we’re ready for clicks.
No pointing of fingers, no one will see blame,
We’ve locked it all down to the last old mainframe.   

Now firewalls, now NAC, now SIEM and CASB
On WAF, on IPS, on UEBA and AV.
A blip on our perimeter: the attack started small.
Now protect and defend, the hack it must fall.   

An ARP spoof attack on the corporate Wi-Fi.
The analyst caught it, they did not retry.
Her next step was to look through the logs for a clue
Did someone gain access, elevate, or sudo?   

Another reviewed emails, looking for spoofs,
The smart timeline would show the true burden of proof.
AV was updated and in the background,
Nonessential servers had been all but shut down.   

Still watching and monitoring both out and throughput,
As good guys we knew something strange was afoot.
Our servers all logging the syn, syn-ack, ack
We dared them to try: Go ahead and attack.    

This pen test was different and not quite as scary,
Though still we watched for the last-ditch Hail Mary.
With each failed attempt our advantage did grow.
We smiled with conviction. We detected each blow.   

The attack was persistent, we gritted our teeth.
Will our defenses stand strong? We could not dare breathe.
The risk score revealed random logs from New Delhi.
“It’s getting real now,” the CISO said on the telly. 

The SOC works as a team, there’s no “team” in “myself”.
Preparation was over, SANS books back on the shelf.
One final payload brought the night to a head
I started to doubt and was filled with such dread.   

Twelve failed logins from a revenue clerk!
“It’s always accounting that make things berserk.”
This Red Team is good and they code like the pros,
One click on the link our poor user was hosed.   

But wait! Multi-factor decline caused dismissal,
Intercepting their tactics made analysts feel blissful.
They didn’t get anything not one single byte.
Happy pen test to all and from the Blue Team, “Goodnight.”