Leveraging YARA
We chatted with ReversingLabs Malware Researcher Hrvoje Samardžić and Roman Hüssy of Abuse.ch about YARAify, which aids threat hunting operations.
EPISODE TRANSCRIPT
PAUL ROBERTS
Hey, everybody. Welcome back to ConversingLabs. This is ReversingLabs podcast where we talk about threat intelligence, threat hunting, software assurance, and more. We're so happy to have you back and we've got a great show for you today. With us in the studio we have Roman Hüssy of Abuse.ch. Roman, welcome.
ROMAN HÜSSY
Hi, thank you very much for having me.
PAUL ROBERTS
And joining us again is Hrvoje Samardžić researcher, threat intelligence researcher here at ReversingLabs. Hrvoje, welcome back, my friend.
HRVOJE SAMARDŽIĆ
Hi, nice to be here again.
PAUL ROBERTS
Great to have you back. So we're in the studio today talking about well, really actually talking to Roman, talking about his project Abuse.ch, and also talking about threat hunting, and in particular the use of YARA rules, which are becoming a really important tool for threat hunters and investigators to use within their environment to spot evidence of attacks and so on. So we're going to talk a lot about YARA rules. We're going to talk about a new project that Roman standing up as if he doesn't have enough on his plate, YARAify. But before we do any of that, I wanted each of you just to tell the audience a little bit about yourselves. And Roman, let's start with you. Tell us about yourself and the work that you do. Also tell us a little bit about Abuse.ch.
ROMAN HÜSSY
Yeah, thanks. So my name is Roman Hüssy. I'm a Swiss citizen and I launched Abuse.ch quite some time ago. So it started as a nonprofit, spare time project in, I think it was 2008. So years ago when cybersecurity was not that cool as it is today. Cybersecurity is a buzzword these days, right? So I was already in that field long time ago. And yeah, actually I actually entered that field by accident, somehow started to look at strange emails that I receive in my personal inbox. And I noticed that this is something that interests me and I quickly started to blog about it and that actually was the start of Abuse.ch. So today is much more than just a block, as you probably know. I think we're going to talk about that later. And nonprofit project that I mainly run in my spare time, actually, what most people don't know is that it's just me, myself and I. So after all these years, it's still on shop. So to say that comes with a handful of benefits but also with a handful of disadvantages. So to say I'm free to do whatever I want, that's pretty cool. So if I have a good idea, I can just get it done. But on the other side, I still have a full time job, almost a full time job, that makes me very happy, and I don't want to quit that. Which means that I now have like this fight between Abuse.ch that I run in my spare time and my day job that makes me very happy and I don't want to quit any of those. Right. That's a circle of badness or I'm not sure how to...
PAUL ROBERTS
You're juggling a lot.
ROMAN HÜSSY
...say that. It's really like this circle of nightmare and you're not getting out of it.
PAUL ROBERTS
Think about how important Abuse.ch is just within the threat intelligence and InfoSec communities. It's pretty amazing that it's been run as like a one person project. Amazing to me.
ROMAN HÜSSY
Yeah. What most people don't see is the huge infrastructure that I have in place that needs to be maintained and then you have fixing and platforms that you need to improve or develop further. One of the most recent projects we're going to talk about is later. So that's all stuff that I do by myself and traditionally I'm not a developer more than like a threat hunter. So that's just like stuff I do because someone needs to do it and that's me. But I'm actually more into threat hunting. That's the stuff that is interesting.
PAUL ROBERTS
And that's what we're going to talk about today yeah.
ROMAN HÜSSY
Yeah exactly.
PAUL ROBERTS
Hrvoje, you're a threat researcher here, ReversingLabs. Tell the folks watching a little bit about the work that you do.
HRVOJE SAMARDŽIĆ
Thank you, Paul. So I don't have to have a lot of things to say like Roman, because he really is amazing. I mean, the things he does, I don't believe him. It's only him behind the project. That's impossible. So don't believe him because here at ReversingLabs, I do a portion of the things he does. So I'm currently leading a team of threat researchers. So we are actively working on discovering new threats that pose some kind of novel kind of attacks that could be yet still undiscovered and are using some kind of new tactics and techniques. And with all of those insights, we are building like threat intelligence pipeline workflow that's automatically producing intelligence that we as a vendor, we try to sell to whoever is interested. That what I do at the moment.
PAUL ROBERTS
And you're deep in the weeds on helping threat hunters and folks who are doing that within organizations as well. That's a lot of the work that you do is providing the tools and information to help them do their jobs.
HRVOJE SAMARDŽIĆ
Yeah, in a way, Roman, I do pretty much the same thing. It's building a pipeline workflow process of machines that automatically can process a number of file related threats but also pick the networking information and correlate all the things and make some meaningful intelligence out of that. So it's kind of a bit different perspective, but I have a team that's working that on a bit larger scale, but still it's a team, it's not a one man shop.
PAUL ROBERTS
So let's start the discussion. Roman, just talking a little bit about Abuse.ch. This is a project that you do in concert with the Bern University there in Switzerland. Talk just a little bit about for folks who might be watching but aren't familiar with Abuse.ch, what types of information and resources are available and how they're used by downstream, whether it's individual companies or cybersecurity firms, how they use the information you provide?
ROMAN HÜSSY
Sure, yeah. So the idea of Abuse.ch is having an umbrella over different kind of sub projects or however you want to call them. So the sub projects are platforms that I offer to the community for free. So most of the platforms I offer operate, are open to the public. There are only very few ones that I use for my own purpose, but most of them are open and they all have some sort of different approaches or different goals they want to achieve. But the general term is that I want to provide accurate information about cyber threats in real time to the community, but also to stakeholders in the Internet who actually can do something. So for example, internet service providers or domain registry to registrars I can, for example, but also for hosting providers that make a shut down website that is distributing malware, for example. So the audience is actually pretty big and it doesn't stop with the industry. I also work together with law enforcement agencies around the world providing them with information, usually historical information about threats, cyber threats. That's something that is useful for them either in their investigation that is ongoing or if they finally caught the cyber criminal, collecting more evidence and maybe also some sort of like expert opinion that's usually useful for them. And having a dedicated project like Abuse.ch that is not for profit. That's usually pretty cool to have that data available for law enforcement agencies and so on.
PAUL ROBERTS
And you said you started it basically out of curiosity about stuff that you were seeing in your own inbox?
ROMAN HÜSSY
Exactly. So back then it was actually just a blog that I published where I blogged about malspam campaign. And frankly, that's the really strange thing. We still have spam campaigns today, so within 15 years the problem was not solved.
PAUL ROBERTS
Don't take it personally.
ROMAN HÜSSY
Maybe I should have worked harder? I don't know. Yeah, so actually these campaigns started to blog about them and I soon started the first platform then and it was Abuse Tracker. I'm not sure if you have heard about that back then. Abuse was this kind of, I think one of the very first crimer kits that was sold on the dark web and on the ground forums. And I actually decided I saw the need of having a platform that tracks control servers associated with Zeus. And I think that spirit, I still have that spirit today. Right. The platforms that I generate or that I develop and publish, they actually come out of a need that I see in the community. Right. For example, URL house with tracking malware sites. I think there is hello. I think there is not a similar project out there that tracks malware distribution sites...
PAUL ROBERTS
Photo bomb.
ROMAN HÜSSY
And that's actually how these projects start. Usually I'm in the shower or sleeping or I want to go to bed and I cannot sleep and then suddenly I have this idea that's a problem we need to address. And when I have enough time, then I'm building platforms.
PAUL ROBERTS
Could you give us, I mean... You talked about the Zeus that kind of brings you back. But I mean, the problem hasn't gone away that you created Abuse.ch to address, but it has changed. So can you just talk a little bit about some of the changes that you've seen just in the cybercrime world in terms of Methodologies and so on? Just again, from your perspective there.
ROMAN HÜSSY
Yeah, I think the whole cyber threat landscape, it's obvious, it evolved pretty much. And I actually remember when I started with Abuse.ch, you had few actors, a few threats, and you could be an expert on all these kind of threats and actors because it was overseeable. But these days I'm waking up in the morning and checking all the select matter, most channels and Twitter, and it's just like really an information bomb hitting you every morning, every morning. And that's actually something that sometimes overwhelms me. And I was very lucky in the past when I had this overview of what happens worldwide. And these days it's not possible. It's not possible anymore. That's something that it's also somehow frustrating, right, because you want to know stuff and then a friend of you may approach you like, hey, have you heard about that? Can you tell me something about this threat actor or this specific threat and say, yeah, I read about it in the news. I didn't have time to look at it at all because knowing about everything, it's not possible anymore. And I think that for me personally an issue, and it also makes it a little bit more harder to find stuff. Right. For example, business email compromise. I mean, I don't have any platform or product that would help the audience or the community helping with business email compromise. So that's just one example out of many. And it's very hard to then actually figure out which threats are really, how you say, emerging. And really a threat to some organizations may say, like national security or whatever, like Emotet, QBot and Ice ID. And I think that changed pretty much. And also what changed pretty much is like the cybercriminals organizing themselves much more and they have more resources. It's much more easier these days to get technical infrastructure that you need to operate or to launch a malspam campaign, for example, or cybercrime campaign. All this infrastructure got much cheaper than it was 15 years ago. And with one mouse click, you can deploy thousands of virtual machines in a cloud environment and having them spanning for five minutes, for example, or doing other nasty stuff. It's so easy these days and so cheap.
PAUL ROBERTS
You're also seeing consolidation of the victims, in essence on shared infrastructure as well, right?
ROMAN HÜSSY
Exactly. I mean, from a defender point of view, that also makes it more difficult than it was in the past. I mean, 15 years ago, I could provide you an IP address. Like, okay, this particular IP address is used for the command control server. These days with all this cloud infrastructure. I mean, cloud is something pretty cool, but it also has disadvantages. If I provide you an IP address, that IP address can change the ownership 15 or 20 or, I don't know, times a day. For me, that means that if I provide an indicator of compromise, for example, or threat intel about an IP address, the lifespan of that information snippet is much smaller than it was. And that's something that is challenging. Right? How long is an indicator valid, for example? And that was easier 15 years ago.
PAUL ROBERTS
Hrvoje, for organizations like ReversingLabs who are engaged in synthesizing information, what is a resource like Abuse.ch? What's the value of it?
HRVOJE SAMARDŽIĆ
It's for all the vendors, it's very good resource of information because I would say there's really a handful of top notch researchers uploading their files. And these files are like manually tagged, so I would say classified for threat per vector and so on. So it's not a big data set, I would say, some may argue, but it's really very well classified and you have a lot of additional metadata on that data set. It's very nicely correlated with other indicators. So it's really something you would use for threat hunting. And one additional thing is it's very false positive free, so almost everything. I mean, there's always cases when somebody uploads something suspicious that turns out not to be malicious, but in general it's very highly vetted, malicious sample set. So that's why it's so interesting. And we'll be talking about YARAify later, but that's why this is so important to have something like that, something that's highly vetted. It's organized, catalogued a lot of metadata that you can use to hunt on.
ROMAN HÜSSY
And I think we can say size doesn't matter. That's something that I learned in terms of malware sample feeds, because you may get 200K malware samples a day. And what I learned is looking at them like 50% of file infectures that are filing factors that are ten and more years old that are no longer relevant, but they are still out there because they infect new files. And so I think talking about who has what amount of data is I think quality comes over quantity in terms of numbers, but that's my limited view as a researcher doing stuff in my spare time. I'm sure vendors may have a different view on that. That's the experience I have made.
PAUL ROBERTS
Especially these days, right, with so much threat data out there. Right. There is this kind of quality versus quantity trade off where you might be getting high volume of data but very low fidelity.
HRVOJE SAMARDŽIĆ
Yeah, I would agree. From our standpoint, I can back what Roman has said. The volume, there's a big, I would say, overlap between certain threats and files. So when we do our analysis or when we create our feeds, we just take portions of files per threat. Because if you analyze like 100,000 of samples per that threat, you'll get no more fresh indicators than from that 100. So it's really about knowing what that 100 is, then about analyzing the whole data set because it's more or less iteration of the same thing. So numbers are not that important, but quality is way more important.
ROMAN HÜSSY
You actually talk about Emotet hash-busting, right?
HRVOJE SAMARDŽIĆ
It's not only Emotet, it's not only meta... these guys they...
PAUL ROBERTS
Explain that for the audience Hrvoje.
HRVOJE SAMARDŽIĆ
They will not like, write a new malware sample every day for 100,000 times. They'll just repackage that in a different form to get a different hash. So it's basically the same thing. So all you need to do is find that unique sample and analyze it once thoroughly and you're done. So you don't need to touch on another sample for that day. But it's a process.
PAUL ROBERTS
And they're doing that to full signature based detection tool.
HRVOJE SAMARDŽIĆ
Yeah, I mean, the value of hash from the time Roman started the hash was like you block a hash, you're pretty more or less saved. But today, if you, like, download the sample from the same download payload location, you'll get a different hash every single time. So they rotate these payloads on every single download. So the hash is meaningless. It's just a point of reference. Hey, I have this file, have you seen it or not? But other than that, it's really not of much use.
PAUL ROBERTS
And Roman, you were saying for last 15 years, Abuse.ch has been a passion project and obviously not for profit, but that there are some changes coming in the near future. Can you just talk a little bit about that?
ROMAN HÜSSY
Yeah, so running the project, it's a lot of fun. But I mentioned that earlier, if you have a day job, it's hard, right? It's really hard. And when I started it, you had servers rented somewhere in data center and that was it. And these days, the infrastructure is huge. The amount of data coming in and that I'm processing is huge, the amount of users is huge. I mean, if I look at the APIs and feeds I'm offering, some of these APIs are getting hammered pretty hard. And maintaining that infrastructure and developing new tools, new platforms, doing bug fixes, implementing new features. There are many feature requests coming in on Twitter DM. It's a lot of work, right? And during COVID, it was very challenging for me because of my day job. And I'm not getting any younger, I'm getting older. And that means that I had to look for an alternative that will survive me or that will allow me to survive however you want to see it. The idea is, as of 1st of August, project turned into a commercial company. So Abuse.ch, after 15 years, sadly stopped to be a nonprofit project and it's now a commercial company. The idea behind is not to make money primarily, it's more having enough funds to having someone, or more probably than someone.. Having engineers and data scientists looking at the data, engineering the platforms, but also maintaining the platforms, right? And with the research project I had within the past one and a half years at the Bern University of Applied Sciences, that was pretty cool. And I think it would have worked without the day job. But with the day job, I mean, I managed to get enough funds to hire someone, but you need to find the person. It's just me, so I have to hunt for that person. And you need to engage with the person, getting him or her used to this huge infrastructure that actually has grown over time using different technologies. I mean, there are some per scripts that still are lying around and it's a huge mess. Right. And I didn't see myself in a position to do that. So I think there was a need for a change. Also, I think many of my colleagues who run stuff for nonprofit doesn't necessarily have to be in the cybersecurity field. I mean, they know what I'm talking about when approaching potential donators or sponsors. It turned out that in the cybersecurity field, there is a lot of money, that's fact. But if you are asking someone for donation, it's very hard. Usually not because they don't want to, usually more in the way that they have an accounting department or something that says, well, we cannot just send money to someone. We need to get something back. And even if the accounting department says, well, yeah, you're good to go, you may have a line manager or someone higher up in the management that says, why should we spend 40K to that small one man show project in Switzerland? And then you need to start to argue like, we give you the data for free so that you can protect your customers, but we need money to operate. And the experience I have made is that it's very hard and you need to fill out 100,000 of different forms to become a supplier. Or however to call it.
PAUL ROBERTS
Just licensing it commercially is much more straightforward for them...
ROMAN HÜSSY
I mean, I can just send an invoice or do a small contract and I'm happy. But with donation, does VAT apply or not? Endless discussions, it's...
PAUL ROBERTS
Tricky.
ROMAN HÜSSY
It's the work that doesn't work, right? But that needs to be done. And I think it will be hopefully much more easier with a commercial company just sending invoices and you get something back for it, hopefully.
PAUL ROBERTS
Anything that the folks using Abuse.ch need to know during this transition from nonprofit to commercially licensed?
ROMAN HÜSSY
Well, nothing is fixed yet. I think the most important thing for the audience is that the main spirit of the project, like having platforms that are open and that's for everyone, and that publish certain data sets for everyone, that's something that I want to continue, right? On the other side, there will probably be some additional data sets or APIs or whatever products that may have an SLA, for example, because if you use one of the APIs I provide, as of today, they are free. If they get hammered too fast or DDoS'd, they are down and there is no SLA, you have to live with it. And having something specifically for large organizations or vendors that they can trust, that you can report a false positive and you get a near time or real time answer. That's one of the priorities that I have on my list that I would like to do right. So really the message that I would like to spread is the spirit that Abuse.ch had in the past will stay hopefully having open platforms and everyone can contribute. And most of the data should be freely available as it is today.
PAUL ROBERTS
Let's switch topics a little bit though, not much. One of the new projects you've been doing Abuse.ch for 15 years. But just in the last couple of weeks you launched another new initiative and this one is called YARAify. Tell us Roman, a little bit about YARAify and what the idea behind that project is.
ROMAN HÜSSY
Yeah, so it starts with YARA and that's actually the thing that the project is about. I think we will talk about YARA in a minute. What the idea of the project actually is having a central place where you can share YARA rules and also consume them, right? So you can contribute your own YARA rules and others can use them in an automated form. It also has a scan engine. So that means if you contribute a YARA signature, you get matching files of file that matches your signal signature. And that's currently around 100K samples per day that I process through YARAify, which is quite a bit. And these files, maybe a few words about these files. They're coming from all the projects I already have. So, public and non-public projects. For example, URL House, as soon as URL House fetches a payload from potential payload distribution sites, the file will be sent to YARAify too. So if you are using the platform and deploy your YARA rules there, you get visibility on that. But I'm also sending unpacked samples to it. I'm sending process dumps to it from sandbox analysis and for example, also called Cobalt Strike beacon, so you can easily hunt on the platform with your own YARA rules or with YARA rules that already exist, that actually catch Cobalt Strike beacons. You can hunt for these files and you can download them for free, of course.
PAUL ROBERTS
So this begs the larger question, which is YARA rules? What are YARA rules and how are they used? And Hrvoje, I'm going to turf that one to you. For the folks in the audience who aren't familiar with or haven't used YARA rules before, can you just talk a little bit about this technology and how it assists threat hunters?
HRVOJE SAMARDŽIĆ
So it's an acronym for Yet Another Recursive Algorithm, I guess? There's some other, other ones going around, but that is, I would say, the official explanation behind the name. So it's basically a pattern matching engine that can find on the file different kinds of patterns from the simplest examples like strings, to various lengths of string to position in a file and so on and so on. So it's pretty advanced and it can find, I would say, very complex patterns. And that's making it a very good tool for threat hunters to detect new, still undiscovered, but also known threats. So I would classify YARA rules in those two different categories.
PAUL ROBERTS
Is that detection engine, a standard like open source engine? Or...
HRVOJE SAMARDŽIĆ
YARA is open source, anybody can use it. So I would classify YARA rules in those two groups. So one are well established, YARA rules that can detect threats that are known and that, I would say, well tested and very low, false positive prone. And the other ones that I would say threat hunters use to detect some, I would say normal threats or some suspicious indicators that might be found on goodware as well, but also on some new malware. So these kind of rules are, let's say, monitoring rules. So there are like early warning signs for something that might be interesting to look at. And platform like YARAify is a good way to test those rules because they can be improved, developed on the platform. That's what I see from my angle. That is how I would use this new service.
PAUL ROBERTS
So how do you create a YARA rule? If you're, let's say, you're engaged in threat hunting within an organization, or you're a threat analyst, you've discovered a new piece of malware or a new threat, what's the process of creating the rule for that threat that other people can then use within their own environments?
HRVOJE SAMARDŽIĆ
So if you are just casting a wide net, you'll be looking for these suspicious indicators. So YARA rule will be catching a lot of, I would say, unwanted things. So those matches will need to be filtered out by some other techniques to find what you're interested and worth looking into. But if you, like, you want to thread some particular malware strain, then you need to concentrate on things like how they are packed. You can write a YARA signature for their packer. I don't know if it's ransomware, you can focus on the encryption routines that do decrypting. Or... The easiest thing is if you can find some easy, like low hanging fruit, some strings that can be seen on those...
PAUL ROBERTS
And that are very distinctive. Right?
HRVOJE SAMARDŽIĆ
Yeah.
PAUL ROBERTS
So, potentially there could be multiple different rules for the same threat depending on how a threat hunter wanted to create the rule.
HRVOJE SAMARDŽIĆ
Yeah, and based on the, I would say, expert level of the YARA creator, I would say you will see different quality rules going around so some are like it's been written by someone novice who's just starting or somebody who's very into reverse engineering and knows how to find those very unique patterns that can be very unique and specific for malware threats, thereafter.
PAUL ROBERTS
And for the threat hunter and Roman, you could probably take a swing at this or Hrvoje, you're both more qualified to answer this. For the threat hunter, at what stage do YARA rules come into play and you're looking into a particular incident? Like, when would you employ them?
ROMAN HÜSSY
Yeah, I think there are many use cases for YARA right. I think they play an important role at finding new threats as Hrvoje, you just mentioned it. But also finding classifying samples. Like you get a sample and you don't know what it is, and using YARA, you can put a label on it. So like identifying the known bad. But also what you can do and what I have seen is depending on what kind of, for example, EDR system you have in place, you can also use it on endpoints to detect certain stuff. So if you have an incident and you're doing incident response as an organization and you have a tooling in place, like, as I said, an ETR that supports YARA and you're looking for a specific kind of threat, you can write your own YARA rules or use open, publicly available ones to roll those out across clients and identifying stuff. And I think that's the cool thing with YARA. When you talk about old school antivirus software, if I can use that term, it was pretty hard to instrument the antivirus software to spot something that you want to have detected. So usually that was on a file name or on a file hash. And with YARA, you now have the possibility to do much more powerful things, right, and you just need this specific piece of software during an incident response, for example, incident response process to spot stuff. So there is a large variety of use cases for YARA. I think the reason for that is because it's open source. That's pretty cool. Everyone who has certain knowledge can write YARA rules and it's very powerful.
HRVOJE SAMARDŽIĆ
I just wanted to mention one interesting use case for YARA. I actually don't see that frequently, but it's interesting, so I'll mention it. It can also be a DLP rule. So if you hook it up on your outgoing data stream and look for some specific indicators on documents you internally use, I don't know, like images or some strings from headers or footers, you can easily detect some of those files going out of your company. So that's something that not a lot of folks are doing, but it's actually pretty neat way to detect if somebody is sharing what they shouldn't have or somebody stealing what they shouldn't have.
PAUL ROBERTS
So you mentioned this is an open source initiative and so it's decentralized. Folks can create their own rules and publish them on GitHub or keep them private. How historically have... But there's value in sharing these, obviously within the community to help each other with threat hunting. How historically have folks found YARA rules that might be useful to them?
ROMAN HÜSSY
Yes, I'm using YARA pretty often, probably like most of the threat hunters. And the issue when dealing with YARA rules is you have your own YARA set, right? But then there are many open source YARA rules, like the ones from ReversingLabs, there are many others. And then you have Slack channels where YARA rules are getting shared. All these YARA rules that have different classifications, like some of them may be not for public, some may be for public. So it's a little bit of a mess, right? You want to hunt for a threat, but before you hunt for a threat, you need to hunt for the YARA rules. So that's challenging. And that was something that was consuming a lot of my time. And I thought, hey, we need a central place where YARA rules can be shared. And that's one of the purpose of YARAify, that can share your rules no matter how good or bad they are. That's an important thing. So you can upload a pretty shitty rule. I may delete it then, but you can upload everything you want. Actually, it doesn't say anything about the quality, but at least there's a central place, right, where you can pull down and share the roles. That's one thing. And the second thing is, I mentioned that with the classification of a YARA rule, right? And there are some YARA rules that are classified, as for example, TLP.amber, which means, well, you can only use it within your organization. And if you talk to the YARA rule creator, he says, well, the metadata of the YARA rule, like, okay, this YARA rule matches Gozi, for example, that's not classified. What is classified is the rule itself, like the patterns and using the current infrastructure, the current sharing mechanisms that are in place was tricky because it doesn't differ between what is the YARA rule, what is inside the metadata, like who created it (the YARA rule), what is the name of the YARA rule exactly? You see it here. That was one of the issues and one of the issues I wanted to address. Right, so to give me just one example. With YARAify, you can now say the YARA rule itself, like the patterns, they are classified, so the rule is not being shared, but you can still actually hunt with that rule on YARAify. That's pretty cool. In this case, that's the perfect example. You see the rule matching TLP, which is white, which means that everyone sees matching files that are matching this specific YARA rule. And you also have the creator of the YARA rule has the possibility to define the rule sharing TLP. In this case, it's all TLP wide, which means that not only files that are matching this particular YARA rules will be visible to anyone, but also sharing the YARA rule itself. And if you scroll down in this example, you will see exactly that. You will see the YARA rules we have first the metadata, and that's what's publicly available. And then the strings and conditions. That's the pattern matching stuff. And at the end you see what kind of files on YARAify actually match that particular rule. So, long story short, it should be one place where people can share in a structured way YARA rules with others, but giving them full control what they want to share and how this YARA can be used. So I want to give you another example. There's a YARA license, which is the creative, where I use the creative common license. That particular rule is, for example, now you get some ads, so creative common 4.0BY, and that actually instructs the user of the YARA rule what they can do with the YARA rule, right. So in this particular case, you can use that YARA rule, but you need to give appropriate credit to the author, right? And I think that should encourage people to share more YARA rules because they have a more complex, but a more structured, fine, granular way to define how someone can use your YARA rule, right?
PAUL ROBERTS
So what has been the response so far, Roman, to YARAify? You're seeing uptake by the community? It seems like an incredibly valuable project. This seems like almost like the type of thing you'd expect, like a MITRE or something like that to organize and manage. But you're doing it yourself.
ROMAN HÜSSY
Yeah. So I really think that the most difficult part is teaching authors of YARA rules that certain field in the meta header of a YARA rule needs to be present to share the YARA rule, like TLP classification or the license. So, only that allows you to share your rules in a structured way, right? And I think that's still something where I need to or I should influence some people to get used to that, to use really that structured way for sharing stuff. Because at the beginning you have more work, of course, because you need to classify your YARA rule and define all these fields, but it makes afterwards the sharing much easier, right, for everyone. The feedback I got so far is that many people were pretty impressed about the idea. But yeah, getting used to it, writing YARA rules and publishing them there, that's, I think, another chapter and it will take another few months to motivate people to actually do that. But I think as soon as they see the need or the benefit actually that they get from that, it shouldn't be an issue.
PAUL ROBERTS
I know... Hrvoje, go ahead.
HRVOJE SAMARDŽIĆ
Yeah, I just wanted to compliment Roman on educating the community how to make the proper meta-header, thank you.
PAUL ROBERTS
Is there more to be done? I know one of the issues you raise, even just like lack of standardization around nomenclature and how we name YARA rules relative to the threat that they identify, is there more work to be done with that? And is there a role for standard setting organizations, whether it's NIST or the equivalent in the EU to get involved in that type of work?
ROMAN HÜSSY
That's a good question. Well, I hope that YARAify is one step into the right direction, but if some standardization organizations will come up with a standard, that would be of course, much appreciated. Because I really think that this is an issue with YARA because it's open and you can write whatever you want. It's difficult to do something structured with it. And to give you one example, if you have certain threads that you detect with a YARA rule, you probably use that threat name as the rule name, but then maybe a different AV vendor or a different security researcher will have another term or another naming scheme... At the end you have different YARA rules actually trying to catch the same thing. But they all call it, they all have their own naming scheme and names. That's an issue. And for example, how YARAify wants to overcome that issue is... I tried to stick to Malpedia malware family notation, right? So malware families there, it's documented there and it has one single name and 100 different aliases. That's okay, but one name and we try to stick to that. So if you write a YARA rule, you should add the Malpedia name, right, to that particular YARA rule. That makes it easier then to process the YARA rules because you see, okay, that's matching, that YARA rule should match this file hash and that's actually the malware, the Malpedia malware family that it should catch. Right?
PAUL ROBERTS
This is an issue with malware naming that goes back decades and we've tried in numerous occasions...
ROMAN HÜSSY
At least older than I am in the security world, right? Another issue that we haven't solved yet.
[00:48:30.230] - PAUL ROBERTS
Also not your fault, Roman. So, final question for folks out there who are watching, maybe haven't used YARA rules before. New to this, where's a good place where they can go and learn both about how to engage with that community, find YARA rules and also use them in their threat hunting? Any recommendations on that?
[00:48:55.430] - ROMAN HÜSSY
There are many rules and usually it's learning by doing so, having a look at how others doing it. But I think there are plenty of documentation, right?
HRVOJE SAMARDŽIĆ
Yeah, anyone can install YARA locally and play with it. So that would be probably the best start to learn about the syntax to learn about I mean, there are some online guides that can get you started quick started and play with your locally. And then there's YARAify.
ROMAN HÜSSY
Thanks.
PAUL ROBERTS
The go-to resource. Hey, thank you both so much. Is there anything I should have asked you that I didn't or anything you all wanted to say that I didn't give you a chance to say?
HRVOJE SAMARDŽIĆ
I have a question for Roman. So, I mean, you are quite a public figure with Abuse.ch, so I'm always wondering, has that gotten you in any troubles with the dark side?
ROMAN HÜSSY
In the past, yes, but that's years ago. That's when I started the project. And I think that's also a situation that changed pretty much in the past. Right. When I started with cybersecurity, as I mentioned, cyber wasn't that sexy thing, and nobody cared about cybersecurity. And when you then had very few cybersecurity experts necking at cybercriminals, they got upset, of course. But these days, the situation is completely different. You have so many talented folks, so many cybersecurity experts who are necking cybercriminals every day, like cryptolaymus, for example, then, yeah, I think it's pretty hard for cybercriminals to go after all these security researchers. So the tech surface 15 years ago was much smaller because you only had very few cybersecurity experts. But these days, it's crowd...
PAUL ROBERTS
Bigger target on your head. Yeah, a lot more bodies on the battlefield, so to speak.
ROMAN HÜSSY
Exactly.
HRVOJE SAMARDŽIĆ
Glad to hear that. And glad to know there are no SWAT teams in Switzerland.
PAUL ROBERTS
Yeah, no SWAT teams in Switzerland. Is that an American only... Is that only in the U.S. that stuff happens?
HRVOJE SAMARDŽIĆ
Well, I don't know if anybody anywhere else they would pop up on your door on phone call. It would probably not be that easy...
PAUL ROBERTS
With an assault weapon, yeah.
HRVOJE SAMARDŽIĆ
Probably not go that easy.
PAUL ROBERTS
And body armor.
ROMAN HÜSSY
When they knocked on my door, they were pretty friendly. Okay, what are you doing while I'm sleeping?
PAUL ROBERTS
Hey, Roman Hüssy, Hrvoje Samardžić, thank you so much for coming on and talking to us on ConversingLabs. And Roman, we'll have to have you back on the show.
ROMAN HÜSSY
Thank you very much. Happy to participate, and thanks for the opportunity.
PAUL ROBERTS
Our pleasure. Great to have you.