Hughes Federal Credit Union More Than Doubles Team Capacity Without Adding Headcount

Hughes Federal Credit Union's Cybersecurity Manager Judy Mayoral recognized her small team needed more than manual research and vendor documentation to make fully informed security decisions, leading her to discover Recorded Future's real-time intelligence.

Goal

Gain accurate, widely sourced insights faster and empower the small security team to stay nimble as the organization expands quickly with numerous vendor relationships.

Challenge

Hughes lacked reliable security intelligence to prioritize what matters as fast-paced growth overwhelmed the small team. Vendor evaluation relied on gut instinct. They couldn't see stability, risk exposure, or whether vendor information appeared on the dark web without Recorded Future.

Outcome

Third-Party Intelligence provides numerical cyber-risk scores, revealing compromised historical vendors. IBM QRadar integration enriches SIEM data with risk scores and customized alerts. Brand Intelligence detects 6 annual typosquatting domains and suspicious BINs before fraud occurs. Vulnerability Intelligence prioritizes patches days before NVD publication while Analyst on Demand delivers board-ready reports.

Originally formed in 1952 Hughes Federal Credit Union serves the community of Tucson, Arizona and now has more than 166,000 members and over $1.9 billion in assets.

Hughes has a relatively small security team consisting of Cybersecurity Manager Judy Mayoral, the vice-president of cybersecurity, and a security analyst. This means much of the hands-on work is performed by Mayoral and the analyst. The fast-paced growth of the organization pushed the security team to seek out a solution that would provide them with reliable security intelligence to help them prioritize what matters. The team turned to Recorded Future Intelligence Platform to more efficiently sift through the vast amount and variety of data that pours in on a daily basis.

Deploying the solution has been a great boon to the organization, as Mayoral points out: “Recorded Future is invaluable, as it helps us determine whether something is an active threat or a past threat, something to prioritize or not give as much importance. We also use it for research purposes, such as for vendor selection and management. As the company continues to expand quickly, we need to make sure that we're staying nimble and on top of things—and Recorded Future enables us to do so.”

Accurately Assessing Vendor Risk

Hughes Federal Credit Union has numerous vendor relationships. A core piece of the organization’s business is working with auto dealerships that are looking to finance customer purchases through the credit union. In fact, this constitutes about 70% of their business. Apart from auto loan-related entities, Hughes partners with solution providers, vendor management software companies, and technical vendors such as Cisco and IBM. Additionally, the credit union also evaluates companies they are looking to merge with or acquire.

As Hughes identifies new vendors they want to work with, they strive to do appropriate due diligence. “Much of our time is spent making educated, risk-based decisions regarding vendor contracts.” remarks Mayoral. “This is where we lean on Recorded Future.”

Prior to Recorded Future, the vendor evaluation process was largely guided by gut instinct or trust. When a vendor approached Hughes, the credit union would get to know them, get a feel for their business, and look at their security operations center (SOC) documentation or due diligence package. Based on that information, the credit union would make a decision about next steps which would include whether to escalate to a third party for a quantitative risk assessment, initiating the relationship, or opting not to pursue a business relationship.

“The piece that was missing for us in evaluating vendors was data on the stability of the company and the risk that they had out in the world. When we really started to leverage Recorded Future, we found that some vendors we conducted business with historically were high risk and compromised. For example, we discovered that their information was on the dark web. We wouldn’t have known that without insights from Recorded Future. Now we can identify whether the vendor had any security problems that were publicly disclosed or revealed on the dark web,” she says.

The Recorded Future Third-Party Module assigns vendors, partners, and other third parties with a numerical cyber-risk score, which eliminates the guesswork. Mayoral continuously keeps a vigilant eye on the vendors Hughes does business with, checking for breaches, potential vulnerabilities, ransomware, credential compromise, and other security challenges.

For core vendors or service providers that have direct access to the Hughes environment and would pose a risk to the business if compromised, Mayoral uses Recorded Future to track their usernames. If her team sees those usernames on the dark web, they then notify the vendors so they can conduct further investigations and remediations.

“When Recorded Future flags us that there's a problem, that's usually an indicator that we shouldn't be doing business with the vendor or that we need to exercise extra precautions when working with them,” she asserts.

Vulnerability Management Adds Richness to Vendor Profiles

By using Vulnerability Intelligence from Recorded Future, Mayoral and her team can determine whether the credit union’s vendors and partners are vulnerable to zero-day attacks or other threats. Leveraging machine learning, Recorded Future scores vulnerabilities on their likelihood of exploitation based on real-time data from open, dark web, and technical sources. This allows Mayoral and her team to prioritize and act on vulnerabilities days before they are published in the U.S. National Vulnerability Database (NVD).

The Apache Log4j flaw, which was discovered in December of 2021, is a clear example of a zero-day vulnerability that has impacted numerous businesses across multiple sectors. It gives remote attackers the ability to commandeer a system in order to install malware, execute payloads, steal data, or damage the system. Fortunately, Hughes was well-buffered against Log4j, so they did not take a hit like many other organizations did, but the credit union was concerned about third parties potentially being victimized.

“Recorded Future provides us with substantial reporting and tools to see if anybody we do business with is vulnerable to Log4j attacks. Additionally, they help us to discover other indicators of compromise (IoCs) and determine whether adversaries are targeting us or attacking us,” she says.

SIEM Integration Enriches Context and Makes Information More Accessible

An important benefit of the Recorded Future SecOps Intelligence Module is that it integrates seamlessly with IBM’s Security QRadar, a Security Information and Event Management (SIEM) solution implemented at Hughes. Recorded Future feeds real-time intelligence into QRadar, giving Mayoral and her analyst the information they need to make quick, confident decisions.

As Mayoral puts it, Recorded Future “sees the outside world,” helping Hughes prepare for possible threats. By bringing QRadar and Recorded Future together, Mayoral and her team have been able to enrich the overall data set in the SIEM. The SecOps Intelligence integration with QRadar enriches SIEM data with risk scores that provide context for the actual risk associated with exploitation of each Common Vulnerabilities and Exposure (CVE). Recorded Future’s risk scores supplement CVSS scores to help Mayoral and her team prioritize the security patches that matter most based on the likelihood that a vulnerability would be exploited.

Thanks to the integration, Mayoral and team can build customized alerts. “For example, if internal users are visiting websites that are allowed through our firewall, but Recorded Future indicates that these URLs have a high risk score, then we get notified. That way, we can see that there could be a problem with a website and fine-tune our alerting. This gives us a good perspective on what our employees are doing and what our applications are doing—and this helps us better protect both,” Mayoral explains.

Employees outside of Mayoral’s immediate security team benefit from the enrichment that Recorded Future provides, too. For example, the infrastructure team uses the guidance of Recorded Future data in QRadar when executing security patching.

More people in the organization can be touched by or can get the benefit of the intelligence just by virtue of having this integration. This makes the data understandable to them.

Mayoral assists users with due diligence or vendor management program processes by using the Third-Party Intelligence Module to look up company risk scores.

Recorded Future has helped Mayoral and her team serve as trusted and helpful facilitators. They have been successful in their efforts to change the way employees view security at Hughes. Users have come to understand that her team is not letting security get in the way of processes. Mayoral has won the hearts and minds of employees to such an extent that they are now conscientious about reporting problems to her team, such as malicious sites or socially engineered phishing emails.

Automation Leads to Augmentation of Team Capabilities

As Mayoral states, “Recorded Future has more than doubled the capacity and effectiveness of my team.”

Recorded Future SecOps Intelligence provides ready-to-use, high-confidence threat data eliminating the need to perform manual research. Armed with real-time risk scores and indicators of compromise (IoCs), her team can quickly eliminate false positives, prioritize alerts, and do deeper investigations followed by triage where required.

Recorded Future Vulnerability Intelligence has also automated processes. In the past, reviewing vulnerability scans was an exceedingly time-consuming job. Mayoral’s team had to review every single CVE in conjunction with the critical asset scanned, such as firewalls and Microsoft Windows tools. Recorded Future pairs CVEs with their associated assets, so it’s easy to see which CVEs may be high risk for any given asset.

“Recorded Future does a lot of the work for us. I don't have to drill into each and every single CVE and determine its risk or likelihood of exploitation. And because it ties the CVE and risk level back to the asset, I can decide whether it’s necessary to take action or not. This keeps us from wasting time deciding whether a vulnerability is something we need to be paying attention to based on the asset it's coming from,” says Mayoral.

Additionally, the depth and breadth of intelligence in Recorded Future helps the team more quickly and easily pinpoint risky sites. Rather than manually filtering through dozens of websites, they simply enter the URL into Recorded Future and immediately get a risk score.
“When we do have an incident or need to research something, we're able to have one person handle the issue. And this individual doesn’t have to be skilled in multiple different systems.

They only need to understand IBM Security QRadar, which gets all of the Recorded Future intelligence and delivers context and helps connect the dots. We can then make educated decisions as to whether something is actionable or a false positive—and that allows us to better prioritize our time.”