Cybersecurity vulnerability scans, audits, and penetration tests routinely provide organizations with a list of corrective actions to close security gaps in the network, with the implicit promise that remediating items on that list will secure the environment. These remediation tasks can create a false sense of security. Unfortunately, without an understanding of breach context, attempts to address these security flaws often miss the mark, sometimes with devastating consequences. 

In the cybersecurity industry we refer to this work as “security theater” because when conducted without breach context it is largely performative. Security teams are demonstrating to leadership that they are actively protecting the network or showing that they have met security or regulatory requirements. Despite the best intentions, these actions often fail to appropriately address the underlying risks. For example, if an audit determines that access to an administrative console lacks MFA, then the obvious remediation action is to require MFA upon authentication to that console.

Breach context tells us that there is more that must be considered before this risk is properly remediated. If the selected MFA tool allows for weak authentication methods like SMS or phone call verification then it can be defeated by a SIM swap, which has become a simple and common attack vector in recent years. If the MFA tool allows its configuration to be backed up to a user’s personal cloud account then those configurations can be exposed and the organization can become a target if a personal account is compromised, through no fault of the organization. Understanding breach context means understanding how threat actors behave and proactively restricting their attack vectors.

Recommended CyberTech Insights: Fast Data Recovery and Business Recovery to Take Centerstage During Cybersecurity Awareness Month

Approaching security through the lens of breach context and proper tool orchestration produces a security program focused on countering actual threat actor (TA) behavior. True security requires an understanding of breach context before addressing configuration and tooling changes.

Understanding breach context in the real world

Cybersecurity tools focus on detecting anomalies, blocking threats, and logging events. But without breach context a reliance on tooling can leave an organization blind to strategic weaknesses in the environment. Security orchestration requires a more holistic approach where each tool traces back to the root cause of a security flaw and supports other tools in closing these gaps with overlapping layers of protection. Security controls should not operate independently. Knowing which assets are at risk, understanding the root cause of breaches, and tracking attacker objectives and behavior provides the insight required for security controls to be tuned effectively.

Let’s apply security theater to a real-world example: An organization is using a cloud-based HRMS tool that requires all users and admins to respond to two separate, strong MFA prompts from well managed corporate MFA tools to access the HRMS site. On the surface, this is a very secure configuration. However, due to the nature of the HRMS tool, terminated employees need access to retrieve pay stubs, tax info, and other documentation. To facilitate this access, the HR team set up an alternate, public logon page that does not require MFA. By policy, users and administrators use the internal-facing MFA-secured page.  In practice, both users and admins can use the public page to access the tool from any device or location while bypassing both MFA prompts. A typical audit might ask if MFA is required to access this tool. Breach context instead asks if there are any methods that bypass MFA requirements and under what circumstances those bypasses apply and then advises on secure options for remediation.

Applying breach context to this situation reveals a variety of issues. Aside from the lack of MFA on the external site, it also means that SSO-joined corporate users or admins who access this page externally may have cached corporate credentials on unmanaged and poorly secured devices where threat actors could harvest them. These credentials could be used to access other organization sites or public-facing tools or used to access the organization’s corporate network. Additionally, HR has full control of this tool with no IT or security team oversight, meaning that the meticulous security controls put in place by the IT department to prevent credential theft have been bypassed and undermined without the IT security team’s awareness.

Recommended CyberTech Insights: Why Managed Intelligence Providers Are the New Strategic Partner

Security doesn’t happen in a vacuum

A single cybersecurity tool — no matter how strong or well configured — cannot protect an entire network. Defense requires multiple tools working together, and breach context drives how these tools should be configured and deployed. If cybersecurity practices do not map tooling to attacker goals, intentions, or the sequence of compromise, then tools are working in isolation, not in concert. Strong security uses layered defenses and constantly searches for gaps and single points of failure. 

Breach context requires understanding how a TA thinks. Breach context acknowledges that a savvy TA can do anything the IT team can do. Breach context considers future states, both of your own environment, and of TA capabilities. What kept you safe yesterday may not keep you safe tomorrow. 

Breach context is key to survivable backups

An organization’s capacity to recover from a cyberattack is far greater than its capacity to resist one. Implementing multiple immutable backup copies coupled with strong administrative identity controls and network segmentation to manage access to these tools is an easier task than securing the entirety of the network perimeter. Security programs that do not begin with guaranteed recovery are focused on the wrong threat.

To create a strong security program, start thinking like a TA. What does a TA want?  Most TAs are in the ransomware business and want ransom money from their target before providing a decryption key to grant access to the hostage data. Backups become a target because clients with surviving backups will generally restore the data rather than pay a ransom, so TA’s must destroy backup copies while encrypting production data. Understanding the motivations and targets of TAs dictate where to harden defenses. That is breach context in its most simple form.

Without breach context, backups can also become part of the security theater. The comfort that backups provide when recovering from human errors or environmental damage often vanishes in a ransomware attack, alongside the backup itself. Survivable backups mean immutable backups. In a breach scenario, backups that are not immutable will not survive.

Recommended CyberTech Insights: 4 Ways to Ensure IT Project Success with a Consulting Firm

Fenix24 statistics show that 84% of backups believed to be immutable do not survive a ransomware event, because even the definition of “immutable” varies from vendor to vendor. To be truly immutable, a backup cannot be deleted, encrypted, or altered in any way until the immutability retention timer expires. Again, breach context provides a guide to true immutability: if an admin (or multiple admins in tandem) can revoke immutability then the backup is not immutable. If the underlying storage target for the backups is not immutable then the backup is not immutable. If the vendor support team can delete backups then the backup is not immutable. TAs have leveraged all of these tactics to destroy backup data. Breach context raises awareness of these risks and potential mitigation actions.

The fear that keeps us safe

Without beach context, no amount of tooling is going to be sufficient in maintaining operational resiliency in the face of an attack. Breach context removes the blinders and forces security teams to engage with threats as they are, not as they appear. Various industries are beginning to recognize their security deficiencies. For example, Fenix24’s new research involving the law firm industry (a favored target of threat actors) shows that security confidence is declining. Only 38% of law firms consider themselves “very secure,” down from 50% in 2023, while the percentage of firms that acknowledge known security gaps increased from 14% to 23% between 2023 and 2024.

Ironically, many these organizations are likely to be more secure than they were a year ago.  Breach context has shown them the gaps in their security and lowered their confidence in their ability to withstand a TA. But it has also increased their awareness and allowed them to focus their efforts where the work will be most impactful. Acknowledging risk and addressing it appropriately is a far better approach than adding new tools to the security stack without a careful understanding of what they are protecting and how they fit into the larger strategy.

A cybersecurity professional steeped in breach context can guide an organization through how attackers are adapting, what defenders are missing, and where user and admin behavior is introducing risk. Once an organization understands breach context it can begin to address the root causes of compromise.

Recommended CyberTech Insights: How GDPR Is Reshaping Cyber Risk in the AI and Cloud Era?

To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com