Modern enterprise defense architectures generate many alerts from endpoint and network monitoring tools. These alerts require trained analysts to understand and properly react to the events, many of which may be false positives but some of which are serious alerts that would be catastrophic if overlooked. Organizations need a solution to sort through the noise and figure out which threats are real and which are not. The REnigma cyber investigation tool is designed to address this need because it helps your team respond faster and more effectively to alerts by providing a safe, powerful, and easy to use tool to examine suspicious files and URLs. In the sections below, we discuss the problem of excessive alert generation, how REnigma can make your team more effective, the underlying record and replay technology that makes REnigma so powerful, and a comparison to alternatives for investigation of alerts.

Cybersecurity teams we work with use the following types of tools to defend their network:

  • Firewall/IDS - block command and control (C&C), spam, or other malicious traffic and generate alerts
  • Network Sandbox - analyze files and artifacts sniffed from the network in a sandbox and generate alerts
  • Email Scanner - scan all emails for potentially malicious URLs/attachments and generate alerts
  • Endpoint Protection - antivirus scanning and/or behavioral observation on end points to detect anomalous behavior and generate alerts
  • Abuse Box - employees directly submit suspicious emails and attachments to manually generate alerts

This infrastructure generates a large number of alerts for your security team to process. Each alert requires costly manual investigation to determine its meaning and severity. Is the URL run-of-the-mill spam or is your CEO about to click on a targeted attack that could cost your organization millions of dollars? REnigma has been designed to specifically solve this problem by providing a cost-effective solution for your security analysts to quickly and safely investigate alerts.

The alerts from the various tools are often vague and may be false positives but some are critical, so it is typically on the analyst to make the final call as to whether or not something is bad and if any action is necessary to remediate the situation. Since the best way to understand what an alert means is to see it for yourself, analysts often set up virtual machines to manually run suspicious URLs and files extracted from alerts. Unfortunately, this requires deep knowledge of virtualization technology and extreme care to avoid certain dangers when analyzing potentially malicious data. In particular, the virtual machine's storage and networking configuration must be set up perfectly to avoid a spill onto the enterprise network. And further, successfully observing the behavior of the suspicious sample requires setting up a variety of analysis tools, which often require expensive training and significant experience to use effectively.

REnigma helps your team by automating the setup of the analysis environment with an isolated virtual machine, a properly configured network, tooling to automatically extract relevant artifacts from the recorded execution, and a safe place to store those artifacts. This helps both your junior analysts and your senior analysts work more efficiently and effectively. The barrier is removed for junior analysts who may not be comfortable with setting up complex virtual machine and analysis environments. REnigma gives them an environment that is safe, powerful, and easy-to-use without requiring any knowledge of how the technology works. Instead, with about one hour of training, they can focus directly on running the malware, observing its effects, and studying the artifacts extracted by REnigma, enabling them to contribute in ways that they may not have been able to do previously. Senior analysts also benefit because REnigma automates much of the tedious and costly work required to perform an in-depth interactive investigation to save them time and achieve higher throughput when processing alerts. Further, REnigma provides advanced features, such as the ability to rewind and dump memory, to give senior analysts easy access to critical data that they would not have otherwise. The result is reduced costs and a safer network because you have higher performance from your entire team.

The key innovation that powers REnigma is an underlying technology called Record and Replay. The essence of Record and Replay is that the technique can perfectly capture every state change that occurs in a virtual machine with extreme efficiency, during the recording phase, so that it can be replayed and analyzed offline. Record and Replay is unique to REnigma and took more than 5 years of research for the US Department of Defense to create (see about page for history of REnigma). REnigma builds on top of Record and Replay as depicted in the figure. First, the user loads a suspicious URL or file into REnigma (1). Next, the user starts an interactive recording and detonates the suspicious sample in a throw-away virtual machine at speed, perfectly capturing all activity (2). After completing the capture phase, the user can pull out artifacts, second stage samples, and even replay the execution instruction-by-instruction and create memory dumps at previous points to pick apart the sample (3).

Below are the most common alternatives to REnigma that are used to try to solve the problem of safely investigating alerts:

  • Sandboxes - Many organizations already have automated sandboxes as part of add-on packages to existing solutions, and if you already have an automated sandbox, why do you need REnigma? The problem is that automated sandboxes don't tell the full story. The analysts cannot fully interact with the sample in automated sandboxes to see the behavior for themselves. Instead, all they get is complex output that requires time and expertise to interpret and usually leads to more questions than answers.
  • VirusTotal - To supplement automated sandboxes, it's very common for organizations to use open source intelligence or tools such as VirusTotal. However, these tools are only useful if the hash or URL has been seen before and often suffer from the same problems as the tool that generated the alert to begin with: false positives, false negatives, and the output is not very informative.
  • Throw-Away Virtual Machines - Since full reverse engineering is too time consuming for keeping up with the volume of alerts, analysts often fall back on a throw-away virtual machine for further investigation. Unfortunately, doing this safely requires a skill set beyond many junior analysts. Even for senior analysts, configuring and maintaining this VM is very time consuming and the analysis tools are limited.

By comparison, REnigma was designed to specifically address this need and gives you a solution for your entire team that is far superior to all other approaches. REnigma takes care of all of the tedious configuration and maintenance activities necessary to perform in-depth interactive investigation and lets your team focus on the analysis activities, saving you time, reducing costs, and keeping your organization safer than you can without it.

We are ready to get you started with REnigma to help you keep your organization safe and make your team far more productive! Please contact us now to learn how we can help your team better understand alerts, reduce costs for your organization, and keep your network safer.

Ready to get started? Try for free now!