How VMRay Improves Phishing Detection & Speeds Up EDR Alert Validation

Case Study - How VMRay Improves Phishing Detection & EDR Alert Validation

The Customer

An engineering and manufacturing conglomerate with 15,000 employees and 180 locations worldwide and $3.5 billion in 2020 revenues.

The Challenge

In the face of increasingly complex attack methods and flawed sandboxing tools, enhance safeguards for an IT infrastructure that is constantly evolving through corporate acquisitions.

Solution Focus

Deploy VMRay sandboxing worldwide to improve phishing detection and vet inconclusive EDR detection results.

Completely frustrated with the other available options this global manufacturing company embraced VMRay sandboxing

With a focus on sustainable innovation, this global conglomerate serves diverse sectors of the economy, including oil and gas, electrical power, water systems, and the chemtech industry. Over the last decade, acquisitions have played a major role in company growth, a fact that contributes to the complexity of information security challenges.

Stepping back to look at the big picture

“In 2019, one of our team members spent several months evaluating the most advanced attacks the company was experiencing,” says James, the InfoSec team’s subject matter expert (SME) for detection and response in the Americas. “We also examined the flaws and bottlenecks in our existing sandbox solution and EDR system.”

Clearly, adversaries were growing more adept at building complex attacks to evade detection, and the team’s security tools weren’t keeping up. “We were completely frustrated with the options available, and that led us to deploy VMRay in 2020.”

On the attack side, adversary techniques included varied forms of obfuscation, compound samples, and multi-step attacks that relied on the user’s interactions to navigate rather than automated redirects, which would be picked up by security solutions.

“They were missing the boat.”

“We determined that our external sandbox solution was very good at spotting some key elements of such attacks. But more widely, they were missing the boat.” For instance, a typical multi-step attack might conceal its presence by taking the user to a benign link, then a semi-benign page, and then to an external server. “Automated tools will always check Step 1 and maybe Step 2,” says James.” “But they don’t alert you to Step 3. In that scenario, conventional sandboxing inspection is broken.”

To make matters worse there was sometimes a 45-minute delay just to run a sample. “And it didn’t come close to measuring what we needed to make a definitive statement about the potential threat. As soon as we switched to VMRay, we were able to consistently analyze samples more thoroughly and in a timely fashion,” he says.

Eliminating delays related to inconclusive EDR results

There were similar bottlenecks with the company’s EDR vendor. “In cases where our analysts were investigating EDR alerts and requesting access to the relevant files, it was taking them way too long to respond. In some cases, they never got back to us. VMRay’s API gave us a nice, clean way to solve that problem.”

At James’s request, the vendor worked with VMRay to create an API connector that automates the process of pulling back the requested file packages and submitting them directly to the VMRay sandbox. This eliminated delays that were preventing analysts from immediately examining suspect files to determine if action was required.

Combining granularity with interactivity

James cites the granularity of VMRay’s logging as a major strength. “Combining that with VMRay’s interactivity makes it much easier for us to do our jobs. When we run phishing links through the sandbox, we see VMRay picking up very sophisticated Trojan scripts, exploitation scripts and compound samples other solutions miss. With interactive remote session we can go play with it, click on everything the way users do, and see how it behaves. As an analyst, my reaction is often, ‘Wow, that was nice. That would have taken me a while to figure out.”

Example: Manually interacting with fake prompts within VMRay

Safely digesting acquisitions

Beyond these benefits, VMRay facilitates the process of safely integrating acquisitions. “You never know what kinds of alerts and incidents you’re going to see coming in from a new organization. During the integration period, we require companies to cut over to our standardized equipment, security tools and methods. But if there’s something we need to deal with immediately, we’ll put our tools on their old infrastructure, and lead an investigation there. So they immediately from gain the added protections VMRay provides.”

Summarizing his expectations for a sandboxing solution, James says, “You’ve got to be fast. You’ve got to be interactive, and you have to give me the detailed data I need so I can be fast and push new information back out to the security community. VMRay allows us to do all those things much more efficiently than we ever could before.”

Clear filter
Sorry, there are no results found