'Twas The Day Before Audit

Posted by Mike Fratto
December 21, 2009

'Twas the day before audit, and all through the net,
all the sniffers were sniffing,
the ACLs were all set.
IDSs were tuned to cut out the noise,
to catch hackers and crackers and steal all their toys.
The servers were hardened and code all inspected while programmers fretted over SQL injected.
Management hung around micromanaging us, while PCs where patched using WSUS.

When out on the edge, there arose such a clatter,
I sprang to my console to see what was the matter.

I fired up Acid and examined my Snort,
the alerts flowed in, much too fast for a sort.
The charts and the graphs showed a disheartening tale,
an attacker came knocking, our firewall failed.
When, what to my wondering eyes should I see,
the malcontent downloaded a rootkit called FLEA.

An attacker this speedy, so lively and quick,
it seemed automated, the actions robotic.
More rapid than DDoS, the exploits they came.

Snort chugged and churned, and it called them by name:
Now UNICODE! Now ADM! Now LSAS and Mountd!
On .printer! On Frontpage! On ISAPI! And NameD!
To the vulnerable servers!
To the new firewall!
Now dash away, dash away, dash away all!

As gallon to a quart,
new hosts spill over the cup,
findings as easy as nslookup.

So into my network the attackers they flew,
with tarballs of tools and a professional crew.
And then in a twinkling, I saw in the syslogs,
the compiling and cleaning that'll hide all their jobs.

As I sat back and planned my next move,
the attacker owned my server.
He was in the groove.
He trojaned my binaries and modded my kernel,
he put in back doors devious, infernal.

Then he moved on, stealthy and quick,
finding new hosts, click-clack, click-click.
Oh how he moved past my ACL's and rules,
finding paths through the network I never abused.
He poked and he prodded and showed so much moxey,
I think he just violated Sarbanes-Oxley!

The race is now on, with downtime consequent,
my CIO's on the phone hiring a consultant.
I shut down my firewall and disabled known ports,

I patched up my systems and ran vulnerability reports.
I clean and I scrub and I repair and replace,
it's 3 in the morning, a feverish pace.

The board is away,
their fate hangs on a nerd.
They whisper and mumble, but to me, not a word.
I work through the night,
the staff here is full.
I have to thank whoever brought the RedBull.

By 9 the next day, we are patched and protected,

nefarious packets are dropped and rejected.
I walk to the board and explain events recent.
They say they'll increase IT's budget just 3 percent.
I walk away disappointed at an increase so slight,
but I'm going home home now, happy holidays and good night.

*Originally ran in the November/December 2004 issue of Secure Enterprise

Related Reading

More data-protection Insights