Modern enterprise defense architectures generate many alerts from endpoint and network monitoring tools. These alerts require trained analysts to understand and properly react to the events, many of which may be false positives but some of which are serious alerts that would be catastrophic if overlooked. Organizations need a solution to sort through the noise and figure out which threats are real and which are not. The REnigma cyber investigation tool is designed to address this need because it helps your team respond faster and more effectively to alerts by providing a safe, powerful, and easy to use tool to examine suspicious files and URLs. In the sections below, we discuss the problem of excessive alert generation, how REnigma can make your team more effective, the underlying record and replay technology that makes REnigma so powerful, and a comparison to alternatives for investigation of alerts.
Cybersecurity teams we work with use the following types of tools to defend their network:
This infrastructure generates a large number of alerts for your security team to process. Each alert requires costly manual investigation to determine its meaning and severity. Is the URL run-of-the-mill spam or is your CEO about to click on a targeted attack that could cost your organization millions of dollars? REnigma has been designed to specifically solve this problem by providing a cost-effective solution for your security analysts to quickly and safely investigate alerts.
The alerts from the various tools are often vague and may be false positives but some are critical, so it is typically on the analyst to make the final call as to whether or not something is bad and if any action is necessary to remediate the situation. Since the best way to understand what an alert means is to see it for yourself, analysts often set up virtual machines to manually run suspicious URLs and files extracted from alerts. Unfortunately, this requires deep knowledge of virtualization technology and extreme care to avoid certain dangers when analyzing potentially malicious data. In particular, the virtual machine's storage and networking configuration must be set up perfectly to avoid a spill onto the enterprise network. And further, successfully observing the behavior of the suspicious sample requires setting up a variety of analysis tools, which often require expensive training and significant experience to use effectively.
REnigma helps your team by automating the setup of the analysis environment with an isolated virtual machine, a properly configured network, tooling to automatically extract relevant artifacts from the recorded execution, and a safe place to store those artifacts. This helps both your junior analysts and your senior analysts work more efficiently and effectively. The barrier is removed for junior analysts who may not be comfortable with setting up complex virtual machine and analysis environments. REnigma gives them an environment that is safe, powerful, and easy-to-use without requiring any knowledge of how the technology works. Instead, with about one hour of training, they can focus directly on running the malware, observing its effects, and studying the artifacts extracted by REnigma, enabling them to contribute in ways that they may not have been able to do previously. Senior analysts also benefit because REnigma automates much of the tedious and costly work required to perform an in-depth interactive investigation to save them time and achieve higher throughput when processing alerts. Further, REnigma provides advanced features, such as the ability to rewind and dump memory, to give senior analysts easy access to critical data that they would not have otherwise. The result is reduced costs and a safer network because you have higher performance from your entire team.
The key innovation that powers REnigma is an underlying technology called Record and Replay. The essence of Record and Replay is that the technique can perfectly capture every state change that occurs in a virtual machine with extreme efficiency, during the recording phase, so that it can be replayed and analyzed offline. Record and Replay is unique to REnigma and took more than 5 years of research for the US Department of Defense to create (see about page for history of REnigma). REnigma builds on top of Record and Replay as depicted in the figure. First, the user loads a suspicious URL or file into REnigma (1). Next, the user starts an interactive recording and detonates the suspicious sample in a throw-away virtual machine at speed, perfectly capturing all activity (2). After completing the capture phase, the user can pull out artifacts, second stage samples, and even replay the execution instruction-by-instruction and create memory dumps at previous points to pick apart the sample (3).
Below are the most common alternatives to REnigma that are used to try to solve the problem of safely investigating alerts:
By comparison, REnigma was designed to specifically address this need and gives you a solution for your entire team that is far superior to all other approaches. REnigma takes care of all of the tedious configuration and maintenance activities necessary to perform in-depth interactive investigation and lets your team focus on the analysis activities, saving you time, reducing costs, and keeping your organization safer than you can without it.
We are ready to get you started with REnigma to help you keep your organization safe and make your team far more productive! Please contact us now to learn how we can help your team better understand alerts, reduce costs for your organization, and keep your network safer.