Record and Replay

The key innovation that powers REnigma is a technology called Record and Replay. The essence of Record and Replay is to perfectly capture every state change that occurs in a virtual machine with extreme efficiency, during the recording phase, so that it can be replayed and analyzed offline. Record and Replay is unique to REnigma and took more than 5 years of research at The Johns Hopkins University Applied Physics Laboratory to create (see about page for history of REnigma). REnigma builds on top of Record and Replay as depicted in the figure. First, the user loads a suspicious URL or file into REnigma (1). Next, the user starts an interactive recording and detonates the suspicious sample in a throw-away virtual machine at speed, perfectly capturing all activity (2). After completing the capture phase, the user can pull out artifacts, second stage samples, and even replay the execution instruction-by-instruction or create memory dumps at previous points to pick apart the sample (3).

SOC Workflows

SOC teams we work with use the following types of tools to defend their network:

• Firewall/IDS - block command and control (C&C), spam, or other malicious traffic and generate alerts
• Network Sandbox - analyze files and artifacts sniffed from the network in a sandbox and generate alerts
• Email Scanner - scan all emails for potentially malicious URLs/attachments and generate alerts
• Endpoint Protection - antivirus scanning and/or behavioral observation on end points to detect anomalous behavior and generate alerts
• Abuse Box - employees directly submit suspicious emails and attachments to manually generate alerts

This infrastructure generates a large number of alerts for your SOC team to process. Each alert requires costly manual investigation to determine its meaning and severity. Is the URL run-of-the-mill spam or is your CEO about to click on a targeted attack that could cost your organization millions of dollars? REnigma has been designed to specifically solve this problem by providing a cost-effective solution for your security analysts to quickly and safely investigate alerts.

Product Development Workflows

REnigma helps other cyber security technology companies improve their products by giving them better answers and providing a platform for analysis. If you are building an EDR, you need to study families of malware and understand exactly how the malware behaves so that you can improve your EDR product and rules. If you are building a network or DNS cybersecurity product, you need a way to detonate samples and observe the network patterns. You also need methods to quickly reverse samples and study how the network command and control structure works. REnigma provides a powerful platform to make these analysis tasks easier for your team so you can analyze more samples, gain a deeper understanding, and use fewer resources to improve your product.

Automation Workflows

REnigma is designed as a platform to build analytics. The two primary APIs we expose are a REST API for integrations/applications and a Python API for custom analytics. The API makes it easy to integrate into different workflows that need automation. For example, SOCs are typically overwhelmed with alerts that need investigation so anything you can do to streamline the process makes the job easier and more effective. With our REST API, a simple connector script can safely queue URLs or files into REnigma for manual investigation. For analysts that need to dig in deep and march toward fully automated reverse engineering, our Python API gives you the same bindings we use to for the builtin analytics in REnigma so you can customize analysis to meet your needs.

Next Steps

We are ready to get you started with REnigma to help you keep your organization safe and make your team far more productive! Please contact us now to learn how we can help your team better understand alerts, reduce costs for your organization, and keep your network safer.