01 CASE IDENTIFICATION
Case Name: Marriott/Starwood
Year: 2014-2018
Threat Actor: UNKNOWN (Suggested state‑sponsored hackers linked to the Chinese government– NOT CONFIRMED)
Attribution: UNKNOWN
Industry Target: Hospitality
Impact Scale: 500 million guest records estimated, revised to approximately 383 million guest records globally, with 131.5 million U.S. customers impacted.
================================================
02 EXECUTIVE SUMMARY
[Write 2-3 sentences only.
What happened. Who was hit. What was the impact.]
The initial intrusion into the Starwood network occurred in July 2014. However, Marriott did not discover the breach until September 8, 2018. The company publicly disclosed the incident on November 30, 2018, after confirming the scope of the data exfiltration. So, the bad guys were in the system for four years before anyone noticed. Marriott initially estimated that up to 500 million guests were affected. The company later revised this number down to approximately 383 million guests records globally.
03 INITIAL ACCESS
Access Method: Phishing (NOT CONFIRMED)
CVE (if any): N/A
MITRE Technique: [T1566 | Phishing]
Description:
[How exactly did the attacker gain their first foothold?
Be specific — tool, method, and target.]
there has been several suggested possibilities such as Compromised employee credentials, Spear-phishing or Exploitation of poorly secured remote administration services like RDP and outdated server however none of these has been publicly proven.
04 ATTACK TIMELINE
| Date / Time | Event |
|---|---|
| Jul 2014 (approx.) | Attackers gain unauthorized access to Starwood network. |
| 2014 | Remote Access Trojan (RAT) and persistence mechanisms |
| established inside Starwood environment. | |
| 2014–2015 | Credential theft and privilege escalation activities. |
| 2015–2016 | Lateral movement through internal Starwood systems. |
| 2016 | Marriott acquires Starwood; attackers remain undetected |
| in legacy Starwood environment. | |
| 2016–2018 | Ongoing access to Starwood guest reservation database; |
| periodic collection and exfiltration of guest records. | |
| 10 Sep 2018 | Internal security tool generates alert regarding an |
| attempt to access the Starwood guest reservation DB. | |
| 10–18 Sep 2018 | Incident response and forensic investigation begin. |
| 19 Nov 2018 | Marriott determines guest information was copied from |
| the reservation database. | |
| 30 Nov 2018 | Marriott publicly discloses the breach. |
| 10 Sep 2018 | Marriott security monitoring tools generated an alert concerning an attempt to access the Starwood guest reservation database. Marriott engaged forensic investigators, who subsequently uncovered evidence of long-term unauthorized access dating back to 2014. |
================================================
05 TOOLS USED
| Category | Tool / Malware Name | Purpose |
|---|---|---|
| Custom Malware | three different Remote Access Trojan | Persistence, remote |
| (name not publicly known) command execution | ||
| LOTL Tool | Citrix remote-access applications | Legitimate remote-access channel leveraged with stolen admin credentials for lateral movement |
| LOTL Tool | Open-source VPN | remotely access the Starwood network with their own computer |
| Remote Tool | Remote Access Trojan (RAT) | establish and maintain long‑term access to the |
| compromised network |
Credential Tool | Mimikatz | credential‑stealing tool deployed to extract passwords and other credentials from memory, allowing privilege escalation and lateral movement within the network .
Exfil Tool |Custom or unknown (Not Publicly Disclosed)| Copying and encrypting millions of records, then removing them to evade detection
================================================
06 IOCs IDENTIFIED
[DEFANG ALL IOCs: replace . with [.] and http with hxxp]
| Type | Value (Defanged) | Source |
|---|---|---|
| Domain | Not Publicly Disclosed | |
| Domain | Not Publicly Disclosed | |
| IP Address | Not Publicly Disclosed | |
| IP Address | Not Publicly Disclosed | |
| URL | Not Publicly Disclosed | |
| File Hash SHA256 | Not Publicly Disclosed | |
| File Hash SHA256 | Not Publicly Disclosed | |
| File Hash MD5 | Not Publicly Disclosed | |
| Not Publicly Disclosed | ||
| Other | three different Remote Access Trojan, Mimikatz, VPN | https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-005/ |
================================================
07 MITRE ATT&CK MAPPING
[Every entry MUST have evidence from your research]
| Tactic | ID | Technique Name | Evidence |
|---|---|---|---|
| Initial Access | UNKNOWN | Unknown Entry Vector | Public investigations do not confirm how attackers initially gained access to Starwood systems. |
Execution | T1059 | Command and Scripting Interpreter | Attackers executed tools and malware (including RAT activity) on compromised systems.
Persistence | T1219 | Remote Access Software | Multiple Remote Access
Trojans were used to maintain long-term access.
Privilege Esc | T1078 | Valid Accounts | Stolen administrator credentials were used for system access and escalation.
Defense Evasion | T1070 | Indicator Removal | Attackers remained undetected for ~4 years, indicating effective evasion of monitoring/logging controls.
Credential Access | T1003.001 | OS Credential Dumping: LSASS | Mimikatz was used to extract credentials from memory.
Discovery | T1087 | Account Discovery | Privileged accounts were identified and used during internal movement.
Lateral Movement | T1021 | Remote Services | Citrix and VPN access were used with stolen credentials to move across systems.
Collection | T1213 | Data from Information Repositories | Guest reservation databases were accessed and copied over time.
C2 | T1219 | Remote Access Software | RATs provided remote command-and-control capability.
Exfiltration | T1041 | Exfiltration Over C2 Channel | Data was removed from the environment via attacker-controlled channels (exact method not publicly disclosed).
Impact | T1531 | Data Exposure | ~383 million guest records were exposed.
================================================
08 WHAT WENT WRONG
Primary Failure: [ No MFA / No Detection]
Explanation:
[What specifically failed and why?
Could it have been prevented?
How?]
The breach started in Starwood’s environment, and Marriott failed to fully detect and fix existing security weaknesses after acquisition, allowing the attacker to remain inside the system for years.
It could have been prevented if Marriot/Starwood had Implemented Multi-Factor Authentication (MFA): Make it harder for attackers to use stolen credentials. Seriously, turn it on everywhere. Conduct Rigorous M&A Security Audits: Before you sign on the dotted line, perform a deep-dive cybersecurity assessment of the company you’re acquiring. Maintain Network Visibility: Use tools like a Security Information and Event Management (SIEM) system to monitor for suspicious activity across your entire network. Patch, Patch, Patch: Keep all systems and software up to date to close known vulnerabilities before attackers can exploit them. Embrace Managed Detection and Response (MDR): Having a 24/7 team of security experts watching your back is one of the best ways to catch threats before they become catastrophes.
================================================
09 DETECTION GAPS
Detection Missing: [The security tool that was absent or dismissed in the Marriott 2018 breach was adequate monitoring of privileged accounts and databases — specifically, the lack of robust, continuous monitoring that could have detected the attackers’ long‑term presence. Insufficient monitoring of privileged accounts – No effective controls to detect or block unauthorized access to high‑privilege systems.
Insufficient monitoring of databases – No real‑time or near‑real‑time monitoring to catch unusual or malicious database queries.
Poor controls for critical systems – Critical infrastructure was not protected with sufficient access restrictions or anomaly detection.
Insufficient encryption – Sensitive data was not adequately encrypted, making exfiltration easier.]
Dwell Time: [4 years, 2014-1018]
Discovered By: [The Marriott data breach was discovered on September 8, 2018, when an internal security tool flagged a suspicious attempt to access the Starwood Hotels & Resorts guest reservation database]
Missed Control: [Incomplete deployment of Security Information and Event Management (SIEM) across Starwood systems, Multi-Factor Authentication (MFA) not fully enforced, insufficient logging coverage and monitoring of privileged accounts]
================================================
10 LESSONS FOR MANYTEK
Lesson 1:
[Specific action ManyTek should implement — tied to a failure in this case]
Mitigates: A thorough cybersecurity assessment must be part of any merger or acquisition.
Lesson 2:
[Specific action ManyTek should implement — tied to a failure in this case]
Mitigates: Enforce MFA everywhere (no exceptions)and Continuously audit MFA enforcement (not just setup)
Lesson 3:
[Specific action ManyTek should implement — tied to a failure in this case]
Mitigates: Fully integrate all systems into SIEM Ensure SOC receives logs from: servers, databases, endpoints, Monitor logs in real time with alerting enabled.
================================================
11 DEFENDER / SENTINEL HUNT QUERY
Platform: [Microsoft Defender/ Microsoft Sentinel]
Primary TTP Hunted: [T####.### | Technique Name]
KQL Query:
[Must be specific to your case TTP]
[Must be runnable in Defender or Sentinel]
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where
(
FileName in~ (“procdump.exe”,”procdump64.exe”,”mimikatz.exe”,”sqldumper.exe”)
or ProcessCommandLine has_any (“sekurlsa”,”lsadump”,”logonpasswords”,”-ma lsass”,”comsvcs.dll”)
)
Query Results:
[What did the query return?
- No results found in the specified time frame]
Analyst Note:
[What does this result mean for ManyTek detection coverage?
Are we currently detecting this TTP?]
It means that KQL query ran successfully, but nothing in manytek data matched the filters for the selected time range. we are not detecting this TTP.
12 VERDICT — COULD THIS HAPPEN TO MANYTEK?
Verdict: [PARTIALLY — Some controls exist]
Confidence: [Medium ]
Reasoning:
[Why did you reach this verdict?
What controls currently exist at ManyTek?
What is missing?
What is the current risk level specifically to ManyTek?]
I reached this verdict because Manytek do have security controls such as monitoring, endpoint protection, and security alert are in place which lowers the risk of long-term compromise like Marriot/Starwood happening to Manytek. however, gaps may still exist in MFA enforcement, SIEM coverage, privileged account monitoring which is why its important to consistently implement and monitor these controls.
Exposure Assessment:
| Risk Area | Current Control | Level |
|---|---|---|
| SIEM & Logging | Monitoring in place | Med |
| MFA Enforcement | enabled | Low |
| Endpoint Protection | Microsoft Defender deployed | Low |
================================================
ANALYST SIGN-OFF
Analyst Name: Dolma Tamang
Team: Ironclad
Case: Marriott/Starwood (2014-2018)
Date Completed:06/23/2026