One of the founders of ReversingLabs Presenter at conferences: BlackHat, ReCon, CARO Workshop, SAS and TechnoSecurity. Developer on such projects as TitaniumCore, TitanEngine, NyxEngine and RLPack. @ap0x
{ YARA at ReversingLabs 2016 2017 2018 2019 2013 - 2015 2020 Integrated YARA into Showing YARA match Enabled suspicious Integrated with Using YARA metadata Explainable YARA rules TitaniumCore information classifications TitaniumCore format to name detected identification and threats Started including YARA Automatic YARA unpacking threat detection rules ruleset versioning Extended YARA to in our products support more than 32 Included .NET and threads Patch contributions to hash modules YARA code base
{ YARA dilemma: Threat detection or hunting? Detection Hunting Goal: Malware detection & blocking Goal: Proactive analysis & detection • • Pro: Pro: • • Can accurately detect malware threats Can find new interesting things to analyze Can block for malware based on artifacts Can be broad to cover multiple formats Can be deployed to scan files or memory Can look for things other than malware Con: Con: • • Requires time to write & test correctly Requires time consuming human analysis Can be bypassed with pattern breaking Can generate lots of false positives
{ YARA threat detection rule goals Clean written YARA rules with well labeled conditions 1.
{ YARA threat detection rule goals Matching on unique malware type functionality 2.
{ YARA threat detection rule goals Preferring code byte pattern matching over strings 3.
{ YARA threat detection rule goals Native classification pipeline integration 4.
{ YARA threat detection within layered objects Sample a) After unpacking Classification Verdict Machine PE/EXE/UPX PE/EXE Ransomware learning b) Memory analysis YARA Preferred due to family name
{ YARA threat detection results
{ YARA threat detection results
ReversingLabs Open Source { YARA rules https://github.com/reversinglabs/reversinglabs-yara-rules 128 YAR YARA A Rule les publis lished ReversingLabs Open Source rules require YARA version 3.2.0 or newer to be installed. Additionally, the following YARA modules need to be enabled: PE and ELF .
THANK YOU
Recommend
More recommend