“With a small team, our processes were time-consuming and ineffective.
With VMRay‘s auto-forwarding feature, the time our analysts needed is nearly halved, which saves us precious time to focus on our strategic tasks on improving our defenses.”
CISO & Senior Director | Life Fitness
With 75% of organizations in the US experiencing a successful phishing attack in 2020 – and 96% of those threats arriving by email – CISO Brad Marr has made it a priority to strengthen anti-phishing protections.
Life Fitness, a U.S.-based company dedicated to creating innovative fitness solutions that benefit facilities and health conscious consumers.
As Senior Director and CISO at Life Fitness, Brad Marr is responsible for keeping the company’s security systems in fighting form with a small staff. As with many organizations, phishing is the top attack vector for Life Fitness. Only 7% to 15% of incoming email is considered clean.
The company’s core phishing defense platforms detect and stop a high percentage of tainted emails and related malware and malicious links. But where detection results are inconclusive, a small percentage of suspect messages get through.
“When that happens — whether we see it ourselves or it’s reported by an end-user — we need to determine, with a high level of confidence, whether the email is malicious or not,” Brad says. “VMRay is our source of truth for that.”
In June 2019, to supplement the company’s existing defenses, his team deployed VMRay’s cloud-based email threat detection solution. Previously, they had used an on-premises sandbox lab to manually detonate and analyze each message that was submitted. “The process was time-consuming and ineffective, and it caused delays in notifying users about whether a message was safe or not,” Brad says. “What VMRay provides us is detonation-as-a-service.”
While 70% of the company’s security workload is handled by a managed services provider, Brad has kept responsibility for phishing analysis in-house, with the workload split between him and his analyst. They set up auto-forwarding from the existing phishing mailbox to the VMRay environment, which automatically detonates each email to detect indicators of compromise (IOCs).
Brad cites the example of a credentials-harvesting scheme that tells email recipients they need to reset their password — and then sends them to a page with illicit credential prompts. “Not only does VMRay detect where that link goes, but the screenshots help analysts determine at a glance if the credentials page is safe.”
Adversaries eventually catch on to the evolving techniques used in phishing analysis, and they develop countermeasures to evade detection. A common technique is to create an attachment with an embedded link that redirects the user to a final, malicious destination that is 3 or 4 hops away. “Often, the first 2 or 3 links are harmless,” says Brad. “Some tools don’t dive in enough. They’ll only go to the first or second hop and then say, ‘It’s clean.’ VMRay follows those redirections all the way to the end so malicious activity can be identified and mitigated.”
When VMRay determines an email is malicious, that information can be used to identify other users who have received the same message. A company-wide block can then be put in place so they’re not affected. “If 50 people are at risk, catching that one message spares the other 49 from a potential credential harvesting threat.”
Beyond phishing protections, Brad and his team use VMRay to vet likely false positives (FPs) generated by Endpoint Detection and Response (EDR) systems, which are notorious for being over-sensitive.
“We’ll see files that EDR says are malicious and should be blocked. But when we look at the surface information, they sometimes appear to be benign,” he says. Macro-enabled files and Powershell scripts are especially challenging because they’re used by adversaries and legitimate programs alike.
Brad explains, “If you get an ambiguous result for a Powershell script — and you assume it’s malicious and block it — you’re going to stop the business. On the other hand, if you treat those scripts as if they’re benign and allow them through, that also puts you at risk.” In those cases, VMRay acts as a safety net by taking the extra step of detonating the sample.
The analysis results help staff members decide whether to manually waive an EDR block that was triggered by the FP or to harden their defenses by keeping the block in place. “It’s a trust-but-verify exercise,” he says.
Previously, his analyst had been spending four hours a day on phishing analysis using the on-premises sandbox. “With VMRay, he has carved out a daily time saving of 1 to 2 hours. That freed him to focus on bigger things like making sure our businesses are being supported, managing risk, and tuning our phishing defenses to catch new threats” said Brad. The changeover to VMRay also eliminated the cost and effort of maintaining the on-premises sandbox.
“We’re always looking for ways to automate and orchestrate our threat response by removing human touch from the equation,” says Brad. “When VMRay brings out enhancements that make sense for our security program, we’ll integrate them into our workflow.”