Published on January 28, 2021

Post-breach, what happens now? ReaQta’s all-in-one EDR and Forensic tool gathers information in minutes for effective post-breach recovery

  • ReaQta melds Endpoint Security EDR/XDR protection with forensic capabilities to form integrated cybersecurity offerings
  • As COVID-19 continues to limit travel, remote forensic data collection offered by ReaQta-Hive will grow to become a staple for any organization

Post-breach, every minute counts. The growing occurrence of grievous cyber breaches, coupled with tightening governmental regulations that dictate the need to submit time sensitive digital forensic reports, mean a growing need to have both cyber protection and capabilities to efficiently support an investigation.

New call-to-action

Which is why in order to streamline incident response, ReaQta combines two disparate strands in cybersecurity: endpoint monitoring and digital forensics into one integrated security offering – ReaQta’s Endpoint Security platform. While ReaQta-Hive collects information from the present far into the future, Hive Forensics collects data from now, reaching back into the past. Conjointly, they provide teams with comprehensive visibility into endpoint activity across time for a more holistic cybersecurity robust plan and protection.

Developed based on real world needs

Post-breach scenarios are the toughest to deal with, information is always partial and reconstructing the entire picture is challenging. Dealing with an active incident is always delicate and extremely challenging, as teams need to consider both their speed of response and ensuring that the company remains protected from further data theft.

 Hive Forensics enables teams to quickly collect forensic data remotely, in real-time
Users can choose to enable email and in-app notifications to alert them when forensic data collection is complete and ready for download

Hive Forensics was developed in the wake of a successful post-breach remediation effort that ReaQta handled for one of Europe’s largest retail companies. The retail group, which has a headcount of ten thousand staff and over 3,000 shops in the region, had been targeted and repeatedly breached by a threat actor who was stealing their information.

But the enterprise had found it exponentially difficult to understand how their attackers were operating since it had close to no endpoint visibility, which led to the frustrating problem of having attackers return quickly even after the enterprise had blocked their C&C IP addresses. This challenge was exacerbated by the fact that the company had limited access capabilities on local endpoints and none on remote ones. 

ReaQta’s edge in the industry

ReaQta was called in as emergency post-breach responders, to conduct analysis and remediation after the security team noticed exceptionally high CPU load on a part of their infrastructure, as well as considerable anomalous network activity. Few vendors are able to work on compromised infrastructure, but ReaQta-Hive was able to gather past forensic data while providing endpoint security for the company at the same time. This was critical as the company had already been breached on different occasions.

ReaQta-Hive’s Endpoint Security platform makes use of proprietary NanoOS technology to gain complete visibility into endpoint activity. Unique to ReaQta, this technology enables monitoring even at the hypervisor layer – a capability that gives security teams the upper hand by enabling them to remain hidden from cyber adversaries. 

By gathering elements of the attack swiftly to reconstruct the attack chain, ReaQta found that the attackers had used the company’s infrastructure as a bitcoin mining network and had infected it with custom-made malware. ReaQta was also able to figure out that attackers maintained access via a custom back door.

New call-to-action

Within three hours a mitigation plan was created and executed, followed by an eradication and response plan. In 24 hours, operations went back to normal and the infrastructure was completely cleaned up by ReaQta’s incident response team. A thorough threat hunting investigation was launched to strengthen the company’s cybersecurity posture to prevent similar incidents from happening again.

A platform like ReaQta-Hive proved to be critical in automating a task that would have been impossible to carry out manually: the eradication of a self-replicating malware over thousands of endpoints. It also proved essential to immediately pinpoint the sources of infections, their paths and techniques, something that was beyond the reach of a SIEM. Completely visibility allows security teams to identify threats early and contain them properly, without interrupting any business continuity.

Introducing Hive Forensics 

Whether it is for compliance purposes or to understand how to future-proof your organization from attacks, comprehensive forensic data coverage is critical to determine the full scope of a breach and to know how and where attackers are entering your infrastructure.

Hive Forensics’ Remote Forensic Data feature is password protected and available in Basic (5 minutes) and Advanced (15 minutes) modes

Hive Forensics’ Remote Forensic Data feature provides crucial snapshots of the state of your endpoints. It does so remotely, eliminating the time delay incurred in going on-site to gather traces and information identifiers, a feature that has become especially critical now that the COVID-19 pandemic is limiting international travel. With remote retrieval of forensic data, time savings are translated into cost savings for the company. For instance, the miscellaneous costs of flight tickets and accommodations for IR teams can be eliminated, and teams save precious response time. 

Built in two modes, the feature gathers exponentially more data than the typical EDR and takes 5 minutes on the basic level and 15 minutes for an advanced information retrieval, drastically reducing response time from days to minutes.

Hive Forensics’ Basic Mode collects essential information needed for attack reconstruction in just 5 minutes
List of active scheduled tasks

Technical Capabilities of Hive Forensics:

  • Encryption Enabled 
  • Easy Module Enablement
  • The Remote Forensic Data feature is available in 2-Modes:
    • Basic (5 minutes): Displays running processes and a snapshot of crucial status information at the endpoint. Currently available on Windows.
    • Advanced (15 minutes): Delivers Basic Kit capabilities and more. Offers more comprehensive forensics coverage, like Network Connections, Time Zones, Users associated with endpoints etc.

Hive Forensics’ Remote Forensic Data kit is available as a value-added feature within ReaQta-Hive. To schedule a free 30-day ReaQta-Hive trial, click here.