Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

Corelight Delivers Static File Analysis With YARA Integration | Corelight

Written by Christopher Sather | Dec 11, 2024 12:56:52 PM

Malicious files continue to be a significant threat to organizations; SonicWall reported more than six billion malware attacks in 2023. To help organizations prepare for and stay ahead of these threats, we’re introducing an integration with YARA that offers a deeper level of inspection for files across enterprise networks while helping security teams consolidate their toolset in the process.

The idea for this integration began when a Corelight customer told us they wanted to move away from their existing file analysis tool and consolidate the required capabilities within Corelight sensors. Our subsequent confirmed the value of file analysis on the network. By delivering static file analysis capabilities powered by YARA through our Corelight sensors, we will help our customers improve their detection rates.

What is YARA?

YARA is an open-source file analysis tool that analyzes binary patterns, behaviors, and other characteristics. Threat hunters can create descriptions of malware families–YARA rules–and trigger alerts when files match those characteristics. YARA rules inspect the content of files, not just hashes, making them more resilient to changes malware authors make in an effort to evade hash-based detection mechanisms. YARA rules can be uploaded to a Corelight sensor and applied against files observed in the network traffic.

Open-source roots

Similar to Zeek® and Suricata®, two foundational elements of our Open NDR solution, YARA is an open-source technology that leans on a broad research community that builds and shares rules in an effort to help secure organizations from cyber threats. YARA perfectly complements our solutions and aligns with our core philosophy and open-source strategy.

With YARA, Corelight customers will be able to increase detection rates by gaining visibility into files and the ability to inspect the contents of the files for known threats at scale. Integrated with additional evidence that Corelight delivers – including Zeek and Suricata logs – security teams gain better visibility into the activity within their network and can reduce false positives.

A unique capability among NDR vendors, the Corelight Open NDR Platform and YARA integration helps security teams:

  1. Address new threats. YARA is flexible when it comes to rule creation. While there are rules readily available from the open-source community, organizations can also create YARA rules customized to their organization’s security needs. If a threat hunter knows what they want to look for, they can search for an existing rule or create their own to detect emerging threats and go after attack vectors to see if they are in their organization’s network.

  2. Consolidate tools: A number of security organizations are running legacy components of file analysis. However, many of these tools are black boxes, which don’t offer visibility into why the files are being flagged because the software is proprietary. Corelight integrates static file analysis on its sensors, eliminating the need for additional software that scans files for patterns associated with malware. And since the rules are created by threat hunters, Corelight offers complete visibility into the detections being triggered.

 

So how does it work?

  1. Select file types. Once enabled, you can determine what files you want YARA rules to scan. You can choose from different MIME types to inspect, such as Office Docs or PDFs.

  2. Define rules. Rules can be uploaded and managed via fleet manager. Within Fleet Manager, you can upload a plain text file to define the rule, including the rule name, strings, conditions, and metadata. You can also edit or customize the rule.

  3. Scan. The rule will scan files observed within the network traffic and create a notice log when there is a file match. These rules can be sent as alerts to Corelight Investigator (coming Q1), an XDR or SIEM solution for response.

The Corelight Open NDR Platform and YARA

Corelight transforms network and cloud activity into evidence that security teams use to proactively hunt for threats, accelerate response to incidents, gain complete network visibility, and create powerful analytics. The Corelight Open NDR Platform combines dynamic network detections, AI, intrusion detection (IDS), network security monitoring (NSM), and packet capture (PCAP) in a single security tool that’s powered by proprietary and open-source technologies Zeek and Suricata. 

Integrating the Corelight Open NDR Platform with YARA enables security teams to create YARA rules for pattern-based detection that quickly analyze large amounts of files to aid in malware identification, proactive threat hunting via IoCs, and automated malware analysis–helping security teams stay ahead of the pervasive threats to their organizations.

To learn more about the benefits of this integration, read our solution brief.