Twas the night before Christmas and all over the ‘net,
Not a creature was stirring except China hacking Tibet.

The IPS were strung by the egress with care,
In hopes that St WannaCry soon would be stopped there.
1/n

The children were nestled all snug in their beds,
While IoT devices mined the dreams from their heads.

Mama with her EDR and I with my IDS
Were ready to tackle an infosec mess.

Down in the SOC there arose such a clatter,
I logged into my dashboard to see what was the matter 2/

This thing had better work, it cost so much cash.
But gosh darnit, I can’t use it until I update Adobe Flash…

Pondering the alarms I thought “Oh heck no!”
That’s because the threshold for alerting was configured so low.
3/n

When what to my wondering eyes did appear,
But 300 false positive alarms. Immediately I thought “the SIEM engineer owes me a beer.”

Then a little old device driver, written before WHQL,
Crashed a production server and sent the IT team into “maintenance hell.”
4/n

We need a new vendor said the CISO, and rapidly the salespeople came.
She shrugged, and she grunted, and she called them by name:

Now AlertDashboard, Now FaceDancer, Now PacketPrancer, and CyberOxen.
On DarkComet, On WebCupid, On DataDumpDonner, and BlinkenBoxen!
5/n

The network admin configured SNMP wide open for all,
So the attackers used EXTRABACON to pwn the corporate firewall!

As the off-site DFIR team prepared here to fly,
The intern started to configure pfsense on a raspberry pi.
6/n

But their OPSEC was bad and the attackers they knew,
So their rootkit crashed a critical server with a death screen of blue.

And then, in a twinkling, DNS requests were all sent in a spoof
“@dakami was right!” I shouted, feeling rather aloof…
7/n

The analyst checked the logs, and then spun around,
Saying “holy carp this is bad, EPS exceeded every SIEM licensing upper bound!”

The North Koreans hacked a partner network and stole all their loot.
But when they tried to pivot across the B2B VPN we gave them the boot!
8/n

The CISO had Humble Bundles of infosec PDFs in stock
She said “No Starch is the bomb, thanks @billpollock!”

The alarms on the dashboard – oh how they twinkled! This one’s gonna be hairy…
The CISO admitted “These Russians are bad, I’ve never seen malware this scary!”
9/n

Management stress can get some people so low,
But she avoided the ridiculous outbursts that some managers show.

Last summer in Vegas she bought a pipe, de-stressed and blew smoke into the sky
But the DoJ elves said “even if it’s legal in Nevada, you can’t work for the FBI!” 10/

She had the war room catered with food from a nearby deli,
Then she said “follow the 3-2-1 rule so we aren’t all so smelly!”

The budget was plump, a sign of cybersecurity health,
Everything purchased had been installed – nothing was bit-rotting on the shelf.
11/n

A wink of her eye and a twist of her head,
Her code of conduct made it clear that if he made inappropriate comments his career would be dead…

“Why?!” he said, “we’re just having fun at work!”
She said “Stop being a Neanderthal, a dope, and a jerk!”
12/n

She’s one of the best, the answer she almost always knows…
Eventually through the glass ceiling, the CISO she rose.

The IR team remediated the issue and one of them let out a whistle.
The team lead said “get all public releases approved – don’t pull a Meat Pistol.”
13/n

Then I heard them exclaim as they drove out of sight – “Stop clicking on stuff, we can’t do this again tonight!”

Merry Christmas (or whatever you celebrate), Happy Holidays, and looking forward to a great 2019 from the @RenditionSec Team!
blog.renditioninfosec.com/2018/12/twas-t…
14/14