Russ

Day 1. The attacker entered. We did not notice. Day 2. The attacker moved laterally. We were in a meeting about Q2 roadmap. Day 30. Monthly security review. "No anomalies detected." The anomaly was in 47 systems. We reviewed 3. Day 90. Quarterly board update. "Our security posture is strong." The attacker agreed. Strong enough to support their operations. Day 180. Half a year. The attacker has settled in. They've customized their workspace. We've customized our dashboards. Neither reflects reality. Day 365. Happy anniversary. The attacker brought friends. Sandworm. GRU. Names we'll learn later. Much later. Day 547. The edge devices were misconfigured. We didn't know. The attackers did. That's the thing about edge devices. Someone's always on the edge. Usually not us. Day 730. Two years. The SIEM is working. The SIEM has 847,000 alerts. We've triaged 12. None of them were this. Day 847. Someone mentioned "zero trust." In a webinar. We attended the webinar. The attacker attended our network. Different priorities. Day 1,000. Milestone. We celebrated. Ship-it drinks. Product launch. The attacker celebrated too. Credential harvest. Different metrics. Same infrastructure. Day 1,095. Three years. The vulnerability was not a vulnerability. It was a configuration. Our configuration. Customer configuration. The customer is always right. The customer is also always misconfigured. Day 1,277. Security awareness training. "Don't click suspicious links." Everyone completed it. The attacker didn't need links. They had the front door. And the side door. And a ladder to the window. We left the ladder. Day 1,460. Four years. Someone in the SOC saw something. "Probably nothing." It was not nothing. It was everything. They went to lunch. The attacker stayed. Day 1,500. Audit passed. ISO 27001. SOC 2 Type II. The auditor was impressed. The documentation was thorough. The attackers were more thorough. But they weren't in scope. Day 1,643. The threat intel feed updated. "Sandworm targeting Western critical infrastructure." We read the report. We shared the report. We were the report. We didn't know yet. Day 1,700. New CISO joined. Former FBI Cyber Division. He seemed sharp. The attackers seemed sharper. For now. Day 1,750. Something wasn't clicking. For the CISO. Everything was clicking. For the attackers. Mouse clicks. Keyboard clicks. Credential clicks. Day 1,800. The new CISO asked questions. Uncomfortable questions. "Why is this device talking to Belarus?" Good question. We checked. Oh. Oh no. Day 1,825. Five years. Detection: complete. Finally. Containment: pending. Eradication: pending. Recovery: pending. Sanity: not pending. Gone. Day 1,826. The war room was activated. We have a war room now. The attacker had a war room for 1,825 days. We have one for 1. Different timelines. Day 1,827. The press release was drafted. "We take security seriously." We took it seriously. Eventually. "Sophisticated nation-state actor." They used misconfigured edge devices. The sophistication was our denial. Day 1,828. Legal joined the call. Legal read the timeline. Legal left the call. Legal is "working on messaging." The messaging is: we were home. For five years. With guests. Uninvited guests. Russian guests. Day 1,829. The recommendations were written. - Network edge device audit - Credential replay detection - Access monitoring - IOC review We wrote these down. For 2026. The attackers started in 2021. We're aspirational. Day 1,830. The CISO gave an interview. "Patch all you like, but if you leave devices misconfigured, it's like putting expensive locks on the front door and leaving an upstairs window open with a ladder on hand." Poetic. Accurate. We were the ladder. We were always the ladder. Day 1,831. New alert. North Korean operatives. Applying for jobs. 1,800 blocked since April. Different attackers. Same platform. Same year. Different vibes. They're using laptop farms. In America. To look American. While living in Pyongyang. Remote work. Very remote. Day 1,832. The incident is closed. The incidents are not closed. Plural now. Russians in the network. North Koreans in the job portal. We are popular. The wrong kind of popular. Day 1,833. Lessons learned meeting scheduled. For next quarter. Attendance: mandatory. Implementation: optional. Learning: theoretical. Day 1,834. The postmortem was written. 200 pages. Root cause: "misconfiguration." Root root cause: "human error." Root root root cause: "we didn't look." For five years. We didn't look. Day 1,835. I updated my resume. Not on LinkedIn. The North Koreans are on LinkedIn. Hijacking dormant accounts. For credibility. I respect the grind. I do not respect the implications. Day 1,836. Coffee: critical. Outlook: bleak. The 2026 recommendations are published. "Don't let 2026 be an open window for attackers." 2021 was the open window. 2022 was the open window. 2023 was the open window. 2024 was the open window. 2025 was the open window. 2026 is the recommendation. Day 1,837. The incident is over. The trauma is not. We've completed the postmortem. The patient died in 2021. We pronounced it in 2025. The paperwork is complete. Mean time to detect: 1,825 days. Mean time to care: 1,826 days. Mean time to forget: TBD. The edge devices are being audited. The attackers are being attributed. The executives are being promoted. The analysts are being caffeinated. Containment: achieved. Eradication: achieved. Recovery: in progress. Faith in detection capabilities: unrecoverable. The ladder has been removed. The window has been closed. The door remains open. It's always open. For collaboration. And apparently, nation-states. Status: Resolved. The resolution is: we know now. What we didn't know then. For 1,825 days. The breach is over. The next breach is loading. Goodnight.