How VMRay Helps a Manufacturing Giant in
the Fight Against Phishing Attacks
With 75% of organizations in the US experiencing a successful phishing attack in 2020 – and 96% of those threats arriving by email – the client’s CISO has made it a priority to strengthen anti-phishing protections.
Our customer, a U.S.-based company dedicated to creating innovative fitness solutions that benefit facilities and health conscious consumers.
The CISO of our client is responsible for keeping the company’s security systems in fighting form with a small staff. As with many organizations, phishing is the top attack vector for the customer. Only 7% to 15% of incoming email is considered clean.
The company’s core phishing defense platforms detect and stop a high percentage of tainted emails and related malware and malicious links. But where detection results are inconclusive, a small percentage of suspect messages get through.
“When that happens — whether we see it ourselves or it’s reported by an end-user — we need to determine, with a high level of confidence, whether the email is malicious or not,” he says. “VMRay is our source of truth for that.”
Not stopped by the Hop-Hop-Hop
Adversaries eventually catch on to the evolving techniques used in phishing analysis, and they develop countermeasures to evade detection. A common technique is to create an attachment with an embedded link that redirects the user to a final, malicious destination that is 3 or 4 hops away. “Often, the first 2 or 3 links are harmless,” he says. “Some tools don’t dive in enough. They’ll only go to the first or second hop and then say, ‘It’s clean.’ VMRay follows those redirections all the way to the end so malicious activity can be identified and mitigated.
When VMRay determines an email is malicious, that information can be used to identify other users who have received the same message. A company-wide block can then be put in place so they’re not affected. “If 50 people are at risk, catching that one message spares the other 49 from a potential credential harvesting threat.
EDR False Positives: Trust but Verify
Beyond phishing protections, he and his team use VMRay to vet likely false positives (FPs) generated by Endpoint Detection and Response (EDR) systems, which are notorious for being over-sensitive.
We’ll see files that EDR says are malicious and should be blocked. But when we look at the surface information, they sometimes appear to be benign,” he says. Macro-enabled files and Powershell scripts are especially challenging because they’re used by adversaries and legitimate programs alike.
We’ll see files that EDR says are malicious and should be blocked. But when we look at the surface information, they sometimes appear to be benign,” he says. Macro-enabled files and Powershell scripts are especially challenging because they’re used by adversaries and legitimate programs alike.
He explains, “If you get an ambiguous result for a Powershell script — and you assume it’s malicious and block it — you’re going to stop the business. On the other hand, if you treat those scripts as if they’re benign and allow them through, that also puts you at risk.” In those cases, VMRay acts as a safety net by taking the extra step of detonating the sample.
The analysis results help staff members decide whether to manually waive an EDR block that was triggered by the FP or to harden their defenses by keeping the block in place. “It’s a trust-but-verify exercise,” he says.
Savings and Efficiencies
Previously, his analyst had been spending four hours a day on phishing analysis using the on-premises sandbox. “With VMRay, he has carved out a daily time saving of 1 to 2 hours. That freed him to focus on bigger things like making sure our businesses are being supported, managing risk, and tuning our phishing defenses to catch new threats” he said. The changeover to VMRay also eliminated the cost and effort of maintaining the on-premises sandbox.
We’re always looking for ways to automate and orchestrate our threat response by removing human touch from the equation,” he says. “When VMRay brings out enhancements that make sense for our security program, we’ll integrate them into our workflow.
