Not a creature was stirring except China hacking Tibet.
The IPS were strung by the egress with care,
In hopes that St WannaCry soon would be stopped there.
1/n
While IoT devices mined the dreams from their heads.
Mama with her EDR and I with my IDS
Were ready to tackle an infosec mess.
Down in the SOC there arose such a clatter,
I logged into my dashboard to see what was the matter 2/
But gosh darnit, I can’t use it until I update Adobe Flash…
Pondering the alarms I thought “Oh heck no!”
That’s because the threshold for alerting was configured so low.
3/n
But 300 false positive alarms. Immediately I thought “the SIEM engineer owes me a beer.”
Then a little old device driver, written before WHQL,
Crashed a production server and sent the IT team into “maintenance hell.”
4/n
She shrugged, and she grunted, and she called them by name:
Now AlertDashboard, Now FaceDancer, Now PacketPrancer, and CyberOxen.
On DarkComet, On WebCupid, On DataDumpDonner, and BlinkenBoxen!
5/n
So the attackers used EXTRABACON to pwn the corporate firewall!
As the off-site DFIR team prepared here to fly,
The intern started to configure pfsense on a raspberry pi.
6/n
So their rootkit crashed a critical server with a death screen of blue.
And then, in a twinkling, DNS requests were all sent in a spoof
“@dakami was right!” I shouted, feeling rather aloof…
7/n
Saying “holy carp this is bad, EPS exceeded every SIEM licensing upper bound!”
The North Koreans hacked a partner network and stole all their loot.
But when they tried to pivot across the B2B VPN we gave them the boot!
8/n
She said “No Starch is the bomb, thanks @billpollock!”
The alarms on the dashboard – oh how they twinkled! This one’s gonna be hairy…
The CISO admitted “These Russians are bad, I’ve never seen malware this scary!”
9/n
But she avoided the ridiculous outbursts that some managers show.
Last summer in Vegas she bought a pipe, de-stressed and blew smoke into the sky
But the DoJ elves said “even if it’s legal in Nevada, you can’t work for the FBI!” 10/
Then she said “follow the 3-2-1 rule so we aren’t all so smelly!”
The budget was plump, a sign of cybersecurity health,
Everything purchased had been installed – nothing was bit-rotting on the shelf.
11/n
Her code of conduct made it clear that if he made inappropriate comments his career would be dead…
“Why?!” he said, “we’re just having fun at work!”
She said “Stop being a Neanderthal, a dope, and a jerk!”
12/n
Eventually through the glass ceiling, the CISO she rose.
The IR team remediated the issue and one of them let out a whistle.
The team lead said “get all public releases approved – don’t pull a Meat Pistol.”
13/n
Merry Christmas (or whatever you celebrate), Happy Holidays, and looking forward to a great 2019 from the @RenditionSec Team!
blog.renditioninfosec.com/2018/12/twas-t…
14/14