Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Why the 'Why' of a Data Breach Matters

The motivations of an attacker help establish what protections to put into place to protect assets.

Joshua Goldfarb, Field CISO

May 8, 2023

4 Min Read
Photo of a scene of a construction worker repairing a wall while random guy walks through, all built of Lego bricks
Source: Lego story via Alamy Stock Photo

Enterprises must move quickly to address the needs of their customers and the demands of the market. That typically includes moving functionality to the digital channel at a fairly rapid pace. While this move gives customers what they want and allows a business to remain competitive, it also introduces cybersecurity risks — among them, an increased attack surface with potential for fraud, abuse, and breaches.

But rather than focus on how online applications can be compromised or abused (information abounds on that subject), I'd like to focus on the why. In other words, what are attackers after, and what are the ramifications of breaches when they occur?

Common Motives

In general, attackers have many different motives for their actions. While this is not an exhaustive list, motives include:

  • Damaging the brand or reputation of a business, including through inventory manipulation and causing downtime.

  • Profiting from misuse of the application and/or fraud.

  • Obtaining personally identifiable information (PII) information, often for the purpose of either selling it or using it for fraudulent purposes.

  • Moving laterally to other applications and/or resources.

  • Leveraging illicit access to legitimate business applications for onward social engineering purposes.

But regardless of the exact reason, businesses and their online applications face serious risk. It is just as important to protect online applications from attack as it is to deploy them to address customer and market needs. Sadly, however, protecting those applications sometimes take a back seat to deploying them, despite the possibility of serious financial and regulatory consequences.

How to Meet the Challenge

So what can businesses do to protect themselves and their applications from these and other threats? First and foremost, they need to build in security from the get-go, but that does not always happen, and sometimes oversights even introduce vulnerabilities. That's why adding protections in a layered approach around an application becomes just as important as building in security. Protections include:

Web application firewall. Web application firewalls have become an industry standard for protecting online applications. Like any part of a defense-in-depth strategy, they are not perfect protection for applications, but they are a highly effective part of an overall protection and risk mitigation strategy. They can defend against various types of attacks that might be launched against an online application.

DDoS protection. Bot networks abound, unfortunately. This makes it relatively easy for attackers to point a cacophony of requests at an online application in an attempt to bring it down. When a business ensures that it has adequate distributed denial-of-service (DDoS) protection (at Layers 3, 4, and 7), it can preemptively mitigate the risks of brand reputation damage, downtime, lost revenue, and other damages that result from these attacks.

Bot protection. In addition to the threat of a DDoS, bots are often weaponized for various purposes, including inventory manipulation, fraud (such as account takeover), and data theft. That raises infrastructure costs, takes resources away from legitimate customers, and skews application metrics. Sophisticated attackers know their way around many defenses, so having sophisticated bot protection in place becomes necessary to protect online applications from these risks.

Fraud mitigation. Fraudsters know how to make money at the expense of legitimate users. Being able to reliably detect and mitigate fraud in near real time without a huge number of false positives and without introducing unnecessary friction for legitimate customers has become a must-have for businesses looking to protect their online applications.

API discovery. In complex, hybrid environments, maintaining a proper inventory of all infrastructure is a constant challenge. There will always be certain assets that will be forgotten or otherwise fly under the radar. Having an API discovery solution in place to ensure that the business is aware of all assets and adequately protecting them is an important part of an online application protection strategy.

Telemetry. Collecting telemetry data at Layer 7 and also the user layer (sometimes referred to as Layer 8) is important as well. This gives businesses important insight into what is happening within the application and the way a user is behaving within the application. This telemetry data adds crucial context and insight that is necessary as part of continuous monitoring.

Continuous monitoring. No matter how good a business' defenses are, continuous monitoring to detect and respond to breaches is a must. Protective controls and defenses can and will be circumvented at some point — and when they are, the business will need to fall back on detective controls and defenses to adequately protect the online application.

When it comes to data breaches, attackers have different motives that highly influence what they are after, how they attack, and what they target. Simply put, the "why" of a data breach matters, particularly when it comes to the ramifications of a breach. By understanding these different motives and how to protect against breaches, businesses can make educated decisions around the types of protections that can be installed around online applications to reduce and mitigate the risk of a breach.

About the Author

Joshua Goldfarb

Field CISO, F5

Josh Goldfarb is currently Field CISO at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights