Yara Rules: The Basics
By Tiffany Roca
I am currently completing a one-year internship with the IBM Security Worldwide Technical Sales organization while attending The University of San Antonio studying Cybersecurity.
Thank you to my mentor Wendy Willner for coaching me on this one!
Introduction
Organizations are adopting and developing new technologies at a rapid speed. This evolution is inspiring cybercriminals to advance at an equal or greater rate. Therefore malware has become exceedingly sophisticated. This is evident by the proliferation of breaches that we see flooding the news.
Recently Wendy and I have been discussing Yara Rules and the variety of ways they can be used for Threat Detection. We thought it would be fun to share what we have learned and discussed.
Yara Rules: Let’s start with a brief history
Victor Alvarez, a software engineer at Virus Total originally developed Yara Rules for malware research and detection. YARA stands for “Yet Another Recursive Acronym”.
Alvarez describes YARA Rules as:
“YARA is tool that allows people to search for patterns in their data. It was created with malware researchers in mind, but actually it can be used for a variety of purposes, such as digital forensics. I like to describe it as "a pattern matching swiss army knife". An analogy I often use is: yara is to files what snort is to network traffic”
Yara is currently an open-source project and has many active contributors. Yara is multiplatform and can be used from the CLI or via a Python Library and can run on Windows, Linux and MacOS. Yara identifies and classifies malware based on custom rules. Users can create their own rules and often share them.
What exactly are Yara Rules?
Standard Formatting
Yara is a pattern matching tool that allows users to search for malware or other Indicators of Compromise (IOCs). Yara rules are created in a standard format. Yara is extremely flexible and supports searching for multiple string types. Yara Rules can be useful when the rule creator (often a Threat Hunter) knows exactly what they are trying to find.
A common use case for leveraging Yara Rules is testing security data for evidence of malware.
Yara Rules in Threat Management
Yara Rules can be effectively used for rapid threat detection by many different persons including threat hunters, threat researchers, SOC analysts, and incident responders.
For example, during the investigation of the latest breach involving ‘SolarWinds’, the threat hunting team at Fireye released Yara Rules to GitHub (here) to help security teams detect Teardrop malware in their environments that they believed was used in the original attack.
This is just one example of Yara being openly shared to assist in the recovery from a cyber-attack. The Yara community regularly shares rules and really embraces the ‘open-source culture’. After all, stopping one cybercriminal benefits everyone in the entire security community.
Importing Yara Rules into QRadar
Any QRadar customer with licenses to IBM QRadar Incident Forensics or IBM QRadar Network Insights has the ability import custom Yara Rules into QRadar. These rules can then be used to search and identify malicious content. More details about using Yara Rules in QRadar can be found (Here).
Wait! Are Sigma Rules Yara Rules?
As I began my learning on Yara Rules, the topic of Sigma Rules was often brought up. So I thought it would be helpful to also share my findings on Sigma Rules. Sigma Rules are generic rules that can be shared and run against different targets. These targets are usually security analytics tools like SIEMS. The Security community is often interested in Sigma Rules because it allows them to create rules that can be used with many tools and then can be shared with a larger community.
Conclusion
I hope you enjoyed understanding the basics of Yara Rules. I look forward to sharing more blogs as I progress through my internship at IBM!
References-
https://support.knowbe4.com/hc/en-us/articles/360013116053-How-to-Write-YARA-Rules#:~:text=What%20is%20YARA%3F,created%20in%20your%20PhishER%20platform.
https://www.rangeforce.com/blog/understanding-the-power-of-yara-rules-and-yara-training#:~:text=You%20can%20use%20YARA%20rules,used%20to%20compile%20the%20file.
https://www.binarydefense.com/what-is-yara-get-to-know-this-malware-research-tool/
https://www.computerweekly.com/news/252485401/ReversingLabs-makes-over-100-Yara-rules-publicly-available
https://www.securonix.com/threat-hunting-and-response-using-yara-sigma/#:~:text=Sigma%20provides%20a%20standard%20format,fields%20that%20all%20vendors%20utilize.
https://isc.sans.edu/forums/diary/Sigma+rules+The+generic+signature+format+for+SIEM+systems/26258/
https://www.rangeforce.com/blog/understanding-the-power-of-yara-rules-and-yara-training
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html