Introduction
This Wake Up podcast episode from Veeam features Michael Irwin recounting a real-world incident response to a nation-state-attributed intrusion. The discussion matters for IT leaders because it translates front-line detection, containment, and leadership challenges into actionable practices—especially around MFA gaps, third-party engagement, and burnout prevention.
Nation-State Intrusion: How It Started and Why It Escalated
Michael Irwin describes an enterprise incident that began with successful social engineering, compromising a user account reused across services. Without MFA on the VPN, the attackers leveraged the same credentials to gain remote access, establish persistence, and move laterally. The initial signal was subtle: anomalous geolocation activity on login attempts—U.S.-based employees showing clusters of successful logins from distant locations and consumer VPN IP ranges. Patterns across multiple users triggered the “aha” moment that this exceeded a routine event.
Severity crystallized when evidence touched privileged or service accounts. Unlike user accounts, service credentials can be embedded in source code and infrastructure, making immediate rotation risky and complex. The organization contained the incident quickly and kept it internal—no customer or PII exposure—yet the operational impact and third-party costs still reached seven figures.
Detection to Containment: Methodical Moves and Missing Pieces
Indicators and triage
The team prioritized containment over immediate full remediation: lock out known-bad access, rotate credentials, and bound the blast radius. Smaller teams faced scarcity of niche expertise (forensic depth, log behavior analysis), prompting engagement with an external incident response provider. Legal and cyber insurance became part of the workflow, as did executive communication around uncertainty and cost.
Third-party validation and acceleration
Bringing in external specialists served two purposes: credibility and capability. They affirmed the containment strategy and supplemented gaps in forensic rigor and evidence handling. Notably, lacking an incident response retainer delayed engagement due to procurement and scheduling—reinforcing the value of pre-negotiated IR retainers for speed-to-action.
The Hard Trade-Off: UX Friction vs. Security Controls
The root cause exposed a classic prioritization challenge. The organization deferred MFA on VPN to align with a planned SSO rollout requiring network upgrades—optimizing for user experience and minimizing change fatigue. The incident struck during that window. With hindsight, Irwin would elevate MFA on external entry points to a top-tier priority regardless of UX sequencing. His evolved approach emphasizes practical risk reduction aligned to common incident causes over pursuit of “perfect” implementation sequencing.
The broader message: progress over perfection. IT leaders must communicate risks clearly, quantify potential business impact, and accept staged rollouts that deliver critical controls early—even if user experience isn’t yet ideal.
Operations Under Duress: People, Process, and Burnout
Running 24x7—then stabilizing
Containment was a days-long, round-the-clock effort; initial remediation spanned weeks; investigation stretched into months. Stress peaked early when the team was determining scope and impact. As facts solidified—what was compromised and what wasn’t—stress declined. Still, small teams with single points of expertise struggled with sustainable shifts, handoffs, and recovery time.
Managing the human system
Irwin underscores that managing responders is as critical as managing the incident: ensuring breaks, hydration, and role clarity. He witnessed a key team member exit during the early stages—an illustration of the field’s burnout risk. Pre-incident preparation, including tabletop exercises and expectations-setting about stress trajectories, can mitigate the shock factor for less-experienced responders.
He also argues for cultural reframing: stop treating incidents as program failures. Success must be judged by containment effectiveness, speed of escalation, and avoidance of reportable harm, not by the fantasy of zero incidents. The “one miss vs. many controls” asymmetry demands a supportive, realistic executive posture.
Governance, Alignment, and Decision Quality
Effective security leadership translates technical risk into business-aware decisions. Irwin highlights the need to brief executives with clear risk narratives tied to business impact and to document intentional trade-offs. That transparency, plus practical prioritization based on prevalent attack vectors, drives better alignment on risk tolerance and investment. He emphasizes that, in constrained environments, there will always be more work than resources—so priority setting and expectation management are continuous disciplines.
Timeline and Outcomes
Irwin’s team moved fast to contain and then engage a third party, even without a retainer. The external firm validated earlier decisions, provided forensic depth, and structured evidence retention. The organization avoided external disclosure obligations due to strong boundary controls and lack of sensitive data exposure. Still, the internal disruption, cost, and human toll were significant—reinforcing the need for preventative controls on external access, retainer-based IR readiness, and load-balanced staffing.
Key Takeaways
- Prioritize MFA on all external entry points, especially VPN, ahead of UX-ideal sequencing; progress beats perfection.
- Use geolocation and VPN IP intelligence to catch early lateral movement; patterns across multiple users are critical signals.
- Secure an incident response retainer to remove procurement delays and accelerate forensics and containment.
- Manage responders like critical infrastructure: enforce breaks, plan shifts, and prepare teams with tabletop exercises.
- Reframe success: measure containment speed and impact avoidance, not the absence of incidents.
Conclusion
For IT professionals, this case underscores that incident response is as much about disciplined prioritization and people leadership as it is about tools and telemetry. A single control gap—MFA on VPN—can create months of downstream work. The durable lessons are clear: deploy high-impact controls early, maintain IR readiness with external partners, structure teams to operate sustainably under stress, and align executive expectations to the realities of modern threat models. This is the path to resilient, repeatable outcomes when—not if—incidents occur.
