How YARA Rules Can Complement NDR for Malware Detection

The Verizon 2024 Data Breach Investigations Report found that system intrusion is the leading attack pattern for the third consecutive year, accounting for 36% of breaches. System intrusion largely consists of a threat actor using hacking techniques and malware to infiltrate the victim organization. 

Following a successful intrusion, the attacker continues on a multi-stage process:

1. Establish command and control
2. Explore the IT network
3. Find a target
4. Extract the data

The longer an attacker remains undetected, the greater their opportunity to find a target and extract data. And as long as criminals continue to benefit from breaching organizations–whether it’s financial, reputational, or for their personal satisfaction–SOC teams must continue to strengthen their defenses and guard against the many threats to their organization.

File-based attacks are a common system intrusion method because they’re often easy to deliver, easy to disguise, and they can support various malicious activities. Moreover, they rely on user interaction, like clicking a link or opening a file, which offers a higher probability of success. 

Many endpoint detection and response (EDR) solutions use static and dynamic file analysis to identify attackers trying to break as well as hidden malware files. However, relying solely on EDR for file analysis has limitations.

File analysis limitations of EDR

1. Limited visibility. EDR tools monitor and analyze endpoint activities on an organization’s network. However, they collect data only from endpoints where EDR is deployed, which means visibility is limited in systems where EDR is not or cannot be deployed, such as legacy OSs, sensitive networks and OT environments. What’s more, many threats infiltrate an organization through the network via email links or attachments, and bypass endpoint detection.
   
   
2. Difficult to scale. Existing security tools like EDR/EPP, email security, and sandboxes often need to review and run each file individually to analyze for malicious activity. This process can be time-consuming and lacks the scalability to process and fully analyze increasingly complex files and objects where advanced malware can hide.
   
   
3. Increased false positives. EDR solutions often generate a large number of alerts and false positives. That is because they rely on behavioral indicators and heuristic analysis to identify threats. In diverse user environments, this can lead to legitimate activities being misinterpreted as malicious, resulting in an increase in false positives.
   
   
4. Malware detection failures. Malicious dynamic link libraries (DLLs) are a common method used by attackers to execute malicious payloads on infected systems. This can be done by generating an unsigned dynamic link library (DLL) with a suspicious filename. However, these threats can be easily missed if the hash value of the DLL does not match the value in the EDR database.
   
   
5. Insufficient context. Advanced attacks like modular remote access trojans (RATs) are often spread through malicious email attachments or fake software. A RAT gives an attacker remote access and control of a device. However, a RAT only downloads required features from the command and control server as needed, which makes detection difficult without the network context.
   
   
6. EDR bypass. EDR solutions are effective at detecting and responding to threats; however, attackers are constantly finding new ways to bypass EDR detection. Malware can be delivered with EDR bypass techniques such as DLL sideloading, obfuscating a command line, or using code-signed malware.

File analysis with NDR can help fill the gap

Network Detection and Response (NDR) is a cybersecurity technology that continuously monitors network traffic from physical and cloud-based environments to enable security teams to detect adversary activity, respond to incidents, and shore up their security posture.

Complementing NDR with YARA, (Yet Another Recursive Acronym), enables SOC teams to leverage shared intelligence from the malware analysis community to proactively detect variants of known malware within their organization and escalate for incident response.

YARA is an open-source tool that specializes in finding malicious files by identifying malware families, not exact matches. Security professionals can scan for unique strings, binary patterns, or behavior patterns in extracted files like executables, PDFs, archives, or office documents, to identify malware families—that is, malware that shares common code but is not identical.

NDR with YARA helps SOC teams detect known malware, one of the leading methods of intrusion used by attackers. Detecting malware helps security teams defend against attackers trying to gain access to their organization’s networks or machines, and can prevent the attackers from carrying out their plans whether it’s sabotage, extortion, or espionage. YARA rules scan extracted files on a system, in emails, or within network traffic, enabling swift detection without relying on host-based EDR tools.

NDR-YARA closes a visibility gap by inspecting files at the network level and scanning for known malware families. YARA rules can also help detect emerging malware or advanced persistent threats (APTs), enhancing security posture and reducing the risk of an attack for organizations that choose to adopt these two technologies.

Together, NDR and YARA can help security teams detect attackers at break-in, and follow attackers that successfully breach an organization, as they move through the network in search of their next payday. Detecting threat actors earlier in the attack process limits the time a threat actor has to advance within the network in search of data to exfiltrate, and minimizes the potential exposure to a threat.

The Benefits of NDR and final analysis powered by YARA

• Close visibility gaps. YARA rules provide file inspection at the network layer, closing a gap on devices where endpoint technology isn’t deployed. 

• Scalable. YARA enables enterprises to systematically analyze millions of files without performance implications. 

• Enhanced threat detection. Integrating YARA rules with NDR helps detect known threats and suspicious patterns effectively, improving the overall threat detection capabilities. 

• Proactive threat hunting. By leveraging YARA rules, security teams can proactively identify potential threats before they execute, enabling a more proactive approach to threat hunting and incident response. 

• Customizable rules. YARA rules can be customized to fit specific organizational needs, allowing for tailored threat detection based on unique threat landscapes and security requirements. 

• Improved incident response. Quick identification of malicious files through YARA streamlines the incident response process, enabling faster remediation and reducing potential damage from attacks.

The Corelight Open NDR Platform

Corelight transforms network and cloud activity into evidence that security teams use to proactively hunt for threats, accelerate response to incidents, gain complete network visibility and create powerful analytics. The Corelight Open NDR platform combines dynamic network detections, AI, intrusion detection (IDS), network security monitoring (NSM), packet capture (PCAP) in a single security tool that’s powered by proprietary and open-source technologies Zeek® and Suricata®. With Corelight, you can transform network and cloud activity into evidence to stay ahead of ever-changing attacks.