The Claroty Blog

Leveraging YARA Rules for Early Malware Detection

| Dudi Benvenishti | Security Researcher

The advanced malware threats, typically used to disrupt and devastate industrial processes are slow and lengthy, seeping into vulnerable industrial systems to carry out reconnaissance and lateral movement phases before finally executing their assault.

The attack carried out by WannaCry Ransomware is still a ubiquitous example of the width and breadth of these types of attack, even after making headlines some two years ago.

After rapidly propagating through the Eternal Blue exploit— taking advantage of a flaw in Windows’ Server Message Block (SMB) protocol, the worm infected systems and promptly spread. Thousands of servers and the sensitive underlying data within them was to remain encrypted, unless a demand for payment, typically between $300 to $600 worth of bitcoin, was delivered. It was reported that during its short 4-day run – ransomware infected more than 300,000 endpoints in over 150 countries with losses estimated at $4 billion. More than this, the reverberations of the infiltration were felt globally, affecting health and medical services in the UK, and European automotive manufacturers.

This attack signaled a dramatic change in mindset around the way organizations go about securing their networks and environments. Despite this, industries need to continue evolving their approaches to security as the nature of malware attacks, and attacks in general, continue to evolve.

YARA – In A Nutshell

YARA is a tool aimed at (but not limited to) identifying and classifying malware samples. Security researchers and analysts can leverage YARA to create descriptions of malware families based on textual or binary patterns. Each description (or rule) consists of a set of strings and a Boolean expression which determine its exact logic- developing case specific solutions matched to the exact malware sample taken.

To understand the applications of YARA more concretely, let’s consider two potential scenarios; the first using a traditional IT-centric off-the-shelf approach, and the second using a unique OR-oriented YARA rules and signature corroboration process.

Scenario I – Traditional Off-The-Shelf Solutions

On the one hand, integrating YARA rules directly into existing OT-networks and analyzing traffic using off-the-shelf solutions (e.g. Tshark) offers a simple answer and delivers immediate value. On the other, this method only operates in offline mode - meaning that it cannot ingest and analyze live network traffic, and requires manually building an engine powerful enough to match network traffic against known YARA signatures and rules.

While traditional threat detection and network monitoring solutions provide a solid security foundation they tend to fall short in protecting against persistent advanced malware and OT-specific threats. These disadvantages of traditional threat detection are well known and extensive.

Traditional threat detection methods lack agility in gathering or customizing rules. While pre-made YARA rules can be found online, they will require heavy customization to answer OT-specific needs. Session reconstruction and encryption also remain a security pain point. File transfers or network traffic are typically compressed and coupled with the inability to handle encrypted data traffic results in long, tedious, time consuming, and intensive manual labor with high likelihood of failure.

When dealing with critical infrastructure, any likelihood of failure cannot be considered an option as more often than not the repercussions could be devastating to human life.

Having established that not all that glitters is gold, let us consider the alternative.

Scenario II – Proactive Threat Hunting

Proactive, real-time threat hunting begins by delivering  OT-specific contextual intelligence alongside each alert with details on the observed asset. With Claroty’s latest release, CTD customers receive the benefits of the Claroty Threat Intelligence (CTI), a highly curated, multi-source, and tailored feed that enriches Root Cause Analytics (RCA) with proprietary research and analysis of OT zero-day vulnerabilities and ICS-specific indicators of compromise (IoC) linked to adversary tactics, techniques, and procedures (TTP).  CTI’s YARA rules, run on OT-asset configuration changes and code sections, not just IT artifacts.  

By examining network traffic and used protocols, the YARA engine confidently detects and delivers alerts upon any artifacts and IoCs. Consequently, by leveraging multiple types of signature and rule-based detection capabilities, SOC and security researchers can proactively identify operational anomalies and match patterns found on data blocks (specific code sections) against known OT-specific malware artifacts and IoCs.

Looking back at the WannaCry ransomware example which propagated using the SMB protocol, researchers and analysts can immediately start investigating critical IoCs  leveraging a set of predefined YARA rules to monitor propagation throughout the network.

Upon initial installation of YARA rules, this intelligent system would identify an asset attempting to establish communication with an external server. After matching this behavior with a set of YARA predefined OT-specific signatures, researchers could proactively identify infected files and receive and relay real-time alerts  to the presence of the malware in the network.

Then, relying on behavioral anomaly recognition and multiple types of signature and rules-based detection – these same real time results are correlated with operational context to rapidly provide  insight into the occurrence, harm reduction tactics and forensic analysis.

Lastly, and by leveraging investment already made in the existing network security stack and other network infrastructure, SOC and security teams can automate the enforcement of micro-segmentation within the OT environment to stop unwanted or malicious communications.  

See how Claroty equips threat hunters and incident responders with the needed context to detect and prevent targeted attacks early in the kill chain and mitigate the consequences of malware infections.

Subscribe to the Blog