Customer Story

Precision, Clarity, and Efficiency: How Expel Uses VMRay Against Malware and Phishing

Discover how Expel, a global leader in IDC’s Marketspace for Managed Detection and Response (MDR) improves economy of service with VMRay.

Customer Overview: a leader in Managed Detection & Response

Meet Expel, a global leader in IDC’s Marketspace for Managed Detection and Response (MDR). Their aim is to set the standard for transparent managed security, merging cutting-edge technology platforms with a fully equipped Security Operations Center (SOC).

Their harness security signals from their customers’ existing investments, providing comprehensive alert management and investigation capabilities around the clock.

“We took a look at a number of different sandboxes and chose VMRay for a number of reasons. -one of them in particular was that it gave us the best interface for analysts to use in terms of simplicity but the information they surfaced was exactly what we needed to keep our analysts moving quickly through the investigative process.”

 

Matt Peters, Chief Product Officer -former-

In the Trenches: Expel’s Choice for Clarity in Threat Analysis

At Expel, our focus is on allocating resources where we excel and seeking partnerships where we need additional support. In our quest for an effective sandbox solution, we evaluated various options and chose VMRay for several compelling reasons. One standout feature was its user-friendly interface, ensuring simplicity for our analysts while delivering precisely the information we needed to expedite our investigative processes. One of the things that we’ve learned over the years is that it’s actually not hard for the analyst to get started with an analysis, it’s hard to get them to stop. VMRay addressed this concern admirably by providing clear and concise answers, allowing our analysts to swiftly determine the presence of threats without delving into unnecessary complexities. Unlike other products that inundate users with extensive and often irrelevant information, VMRay’s approach empowers our analysts to focus on the next set of alerts instead of navigating through convoluted data screens. VMRay has become our trusted solution, offering a secure environment for handling potentially malicious content, conducting controlled detonations, and extracting the answers we need efficiently. VMRay’s robust platform not only delves deep into the intricate activities of potential threats but also resurfaces with clear, understandable, and, more importantly, directly actionable insights. The platform’s ability to provide comprehensive analysis without overwhelming analysts with unnecessary details sets it apart. Expel benefits from the balance between in-depth analysis and clear, actionable outcomes to empower their teams to make informed decisions swiftly.

Efficiency Unleashed: How VMRay’s Automated Analysis Empowers Expel’s Intrusion Investigations

Any little piece of evidence that we can pull is important for us to put the puzzle together. Our focus is on delivering answers, not just alerts, and weaving together a comprehensive narrative for our clients. VMRay’s automated analysis has proven to be a valuable time-saving asset in this pursuit. Normally, setting up dynamic analyses can be challenging and time-consuming, with considerations for virtual machines, tool updates, and corporate security compliance. VMRay simplifies this process, allowing us to quickly throw a sample into the system, specify VM parameters, network configurations, and software setups within minutes. This efficiency enables us to provide our clients with expedited answers, especially in investigations where identifying attacker Tactics, Techniques, and Procedures (TTPs), such as network call backs and file interactions, is crucial. By swiftly uncovering these details, we enhance our ability to thwart intrusions before they reach their goals.

“Our goal here at Expel is answers, not alerts. We’re trying to pull the pieces of the puzzle together and be able to give the full story of an intrusion or attacker activity in the client’s system.

So, VMRay and its automated analysis has become an efficient time saver for us.”

 

Tyler Fornes, Principal Security Solutions Architect

In the realm of cybersecurity analysis, the quest for a trifecta—accuracy, depth, and speed—is often elusive. Many solutions force a trade-off, sacrificing one element for the sake of the others. Some provide swift analyses, but at the cost of accuracy or depth. Others, in pursuit of precision and depth, extend the duration of the analysis.

VMRay stands out by breaking this paradigm. It successfully unites accuracy, depth, and speed, offering security teams the rare advantage of comprehensive, precise, and time-efficient threat analyses. With VMRay, security professionals can navigate the intricate landscape of cyber threats without compromise.

Evasion-Proof Cyber Resilience: Expel’s Approach to Proactive Defense with VMRay’s Precision Analysis

“Typically, in the past, we might have had to wait hours or even days for L2 or L3 teams to investigate such an attack but with VMRay I can have that done in less than 15 minutes.”

 

Tyler Fornes, Principal Security Solutions Architect

In essence, our primary goal is to pinpoint and delineate malicious activity, preventing attackers from spreading through lateral movement and other techniques. We aim not only to halt the immediate attack but also to fortify our clients against future threats. One of the things my team needs to do is to properly sketch a comprehensive process tree, illustrating the actions taken by a sample on a host machine. This analysis unveils the story the malware tells—whether it’s dropping additional executables, attempting lateral movement, or engaging in other malicious activities. Understanding the malware’s capabilities is crucial. In the past, I faced challenges with highly customizable processes such as specifying a particular Microsoft Office product or version of Adobe Acrobat posed difficulties. VMRay, however, facilitates easy customization, providing precise answers to these nuanced queries. Moreover, dealing with sophisticated malware armed with anti-sandboxing techniques was a recurring struggle. VMRay’s remarkable evasion resistance addresses this issue, allowing me to run the malware confidently without manual intervention, saving considerable time and streamlining the reverse engineering process.

VMRay in Action: How Expel uses VMRay against the toughest malware and phishing threats

  1. Tyler utilizes VMRay for Word phishing document analysis with a malicious macro.
  2. VMRay swiftly determines the document’s verdict as “Malicious” and classifies it as Trojan, Dropper, Keylogger, and Downloader.
  3. The Monitored Processes view flags suspicious activity, revealing a classic kill chain involving winword.exe, cmd.exe, and powershell.exe.
  4. Dynamic Analysis screenshots expose the user interaction, showcasing the activation of the malicious macro through an “Enable Content” click.
  5. Tyler delves into file and macro details, along with network connections, for a comprehensive examination.
  6. VMRay Reports’ Network and YARA tabs provide crucial evidence and intelligence for Expel’s response formulation.

How Expel uses VMRay against phishing threats:

“The most important capability in our investigative toolkit is VMRay.

Whether it’s investigating a suspicious link that redirects to a credential harvester or a suspicious Microsoft Word document that may contain malicious macros – VMRay allows us to detonate these samples safely and generate a detailed report of the resulting activity.

Armed with this information, we provide detailed, thorough recommendations to our customers.”

 

Ray Pugh – Director, Security Operations

Expel’s phishing service combines automated triage with meticulous manual analysis of reported emails, integrating seamlessly with endpoint detection and response (EDR) tools for a comprehensive security approach. VMRay’s integration enables simultaneous analysis of multiple samples, empowering analysts to deliver timely responses critical in the time-sensitive cybersecurity landscape.

VMRay’s unique approach to sandbox-evading malware involves a realistic simulation of a user endpoint, ensuring effective analysis of even the most sophisticated threats. The Expel Workbench streamlines this process, facilitating automated querying and enabling swift pivoting into the console for deeper investigations.

This integrated workflow allows Expel to efficiently scope environments for potential compromise, providing a targeted remediation response. In instances of active compromise, Expel engages customers promptly, collaborating until resolution. This streamlined approach, supported by VMRay’s capabilities, underscores Expel’s commitment to delivering effective and timely cybersecurity solutions.

For further details, you can read Expel’s blog post about how they use VMRay: https://expel.com/blog/how-we-use-vmray-to-support-expel-for-phishing/

Table of Contents

The most important capability in our investigative toolkit is VMRay.

Whether it’s investigating a suspicious link that redirects to a credential harvester or a suspicious Microsoft Word document that may contain malicious macros – VMRay allows us to detonate these samples safely and generate a detailed report of the resulting activity.

Armed with this information, we provide detailed, thorough recommendations to our customers.

Ray Pugh – Director, Security Operations

Explore valuable Cybersecurity Resources

Cybersecurity Blog

Check our latest insights on malware, phishing, sandboxing, AI in cybersecurity, and much more.

VMRay Academy

Browse the courses about alert handling, deep threat analysis and response, threat intelligence generation and more.

Malware Analysis Reports

See real-world examples of VMRay’s best-in-class malware analysis and detection platform.