THE PROBLEM
- Small team of analysts
- Manual phishing analysis
- Looking for ways to automate
THE IMPACT
- Time-consuming process
- Delays in notifying users
- No time for strategic tasks
THE SOLUTION
- Automated detonation
- Less time spent on analysis
- Focus on improving defenses
“With a small team, our processes were time-consuming and ineffective.
With VMRay‘s auto-forwarding feature, the time our analysts needed is nearly halved, which saves us precious time to focus on our strategic tasks on improving our defenses.”
CISO
With 75% of organizations in the US experiencing a successful phishing attack in 2020 – and 96% of those threats arriving by email – the client’s CISO has made it a priority to strengthen anti-phishing protections.
Our customer, a U.S.-based company dedicated to creating innovative fitness solutions that benefit facilities and health conscious consumers.
The CISO of our client is responsible for keeping the company’s security systems in fighting form with a small staff. As with many organizations, phishing is the top attack vector for the customer. Only 7% to 15% of incoming email is considered clean.
The company’s core phishing defense platforms detect and stop a high percentage of tainted emails and related malware and malicious links. But where detection results are inconclusive, a small percentage of suspect messages get through.
“When that happens — whether we see it ourselves or it’s reported by an end-user — we need to determine, with a high level of confidence, whether the email is malicious or not,” he says. “VMRay is our source of truth for that.”
What Auto-Detonation Looks Like
In June 2019, to supplement the company’s existing defenses, his team deployed VMRay’s cloud-based email threat detection solution. Previously, they had used an on-premises sandbox lab to manually detonate and analyze each message that was submitted. “The process was time-consuming and ineffective, and it caused delays in notifying users about whether a message was safe or not,” he says. “What VMRay provides us is detonation-as-a-service.”
While 70% of the company’s security workload is handled by a managed services provider, he has kept responsibility for phishing analysis in-house, with the workload split between him and his analyst. They set up auto-forwarding from the existing phishing mailbox to the VMRay environment, which automatically detonates each email to detect indicators of compromise (IOCs).
- VMRay looks at sender information and the originating IP and mail server.
- For attachments and links that reach out to external sites, VMRay determines whether the sites are malicious.
- The system generates an analysis report, which includes screenshots of potentially harmful activity.
- An analyst can quickly scan through a batch of reports to determine if any follow-up action is required.
He cites the example of a credentials-harvesting scheme that tells email recipients they need to reset their password — and then sends them to a page with illicit credential prompts. “Not only does VMRay detect where that link goes, but the screenshots help analysts determine at a glance if the credentials page is safe.”
Not stopped by the Hop-Hop-Hop
Adversaries eventually catch on to the evolving techniques used in phishing analysis, and they develop countermeasures to evade detection. A common technique is to create an attachment with an embedded link that redirects the user to a final, malicious destination that is 3 or 4 hops away. “Often, the first 2 or 3 links are harmless,” he says. “Some tools don’t dive in enough. They’ll only go to the first or second hop and then say, ‘It’s clean.’ VMRay follows those redirections all the way to the end so malicious activity can be identified and mitigated.”
When VMRay determines an email is malicious, that information can be used to identify other users who have received the same message. A company-wide block can then be put in place so they’re not affected. “If 50 people are at risk, catching that one message spares the other 49 from a potential credential harvesting threat.”
EDR False Positives: Trust but Verify
Beyond phishing protections, he and his team use VMRay to vet likely false positives (FPs) generated by Endpoint Detection and Response (EDR) systems, which are notorious for being over-sensitive.
“We’ll see files that EDR says are malicious and should be blocked. But when we look at the surface information, they sometimes appear to be benign,” he says. Macro-enabled files and Powershell scripts are especially challenging because they’re used by adversaries and legitimate programs alike.
He explains, “If you get an ambiguous result for a Powershell script — and you assume it’s malicious and block it — you’re going to stop the business. On the other hand, if you treat those scripts as if they’re benign and allow them through, that also puts you at risk.” In those cases, VMRay acts as a safety net by taking the extra step of detonating the sample.
The analysis results help staff members decide whether to manually waive an EDR block that was triggered by the FP or to harden their defenses by keeping the block in place. “It’s a trust-but-verify exercise,” he says.
Savings and Efficiencies
Previously, his analyst had been spending four hours a day on phishing analysis using the on-premises sandbox. “With VMRay, he has carved out a daily time saving of 1 to 2 hours. That freed him to focus on bigger things like making sure our businesses are being supported, managing risk, and tuning our phishing defenses to catch new threats” he said. The changeover to VMRay also eliminated the cost and effort of maintaining the on-premises sandbox.
“We’re always looking for ways to automate and orchestrate our threat response by removing human touch from the equation,” he says. “When VMRay brings out enhancements that make sense for our security program, we’ll integrate them into our workflow.”