The tongue-in-cheek named malware detection tool, Yet Another Recursive Acronym (YARA) is described as “the pattern-matching Swiss Army knife for malware researchers (and everyone else)”. The Sumo Logic Cloud SIEM platform is one of the first SIEM solutions to incorporate it as a built-in feature. This gives blue teamers an additional layer of detection built into the SIEM. Sumo Logic also makes it easy to load and manage YARA rules repositories from GitHub by taking advantage of existing community YARA rules. Below are a few use cases around suspicious PDF documents and how a blue teamer can utilize this feature.
First let’s quickly go over how the Cloud SIEM platform utilizes YARA. The CSE platform comes with a packaged Bro/Zeek network sensor. The network sensor is configured to extract certain file types like PDF, zip, word docs, and more. Once extracted, the files are shipped to the CSE platform and run through the YARA rules engine. If there’s a match, a signal alert is created. Whether or not there’s a match on the rules engine, the file is written to S3. The CSE can also take carved files from Corelight or other Bro/Zeek Vendors.
In this first example, we will create a manual YARA rule inside the CSE platform. To do this, click on the content menu drop-down and select YARA. Then, select add YARA rules manually.
After selecting the custom YARA rules, the next step is to give the new source a name and description. Think of this as creating a folder structure for different YARA rules. When finished, we need to add a custom source.
Inside the folder, select add rule. We’re given a sample expression to help us build the new YARA rule. You also have the option to add a description to the rule and note the severity.
In the example, we created a YARA rule that looks for one or two links in a PDF. Notice the severity is marked as a 1, I consider this a weak signal. A weak signal is a feature of intrusion activity and malware that are inherently non-evil but are uncommon or rare enough to be useful, and then combine those things in surface sets of activity that are especially unusual or interesting.
Once the above rule is added, anytime the Bro/Zeek network sensor extracts a PDF file with one or two links in it, it will generate a signal. An analyst can now see everything about the PDF including hashes and the source where it was downloaded from. The analyst can also download the PDF from inside the signal if further analysis if needed.
If you’re not a YARA ninja, but find PDFs to be inherently suspicious in your environment, there is always GitHub. The CSE platform now has the capability to import a YARA repository directory. Follow the above steps, but instead of adding a custom source select GitHub., This will automatically add a source from GitHub. Simply add the URL and give it a default severity.
We now have 23 new YARA rules automatically providing an additional layer of detection related to suspicious PDFs without having to do much work.
With this new built-in YARA capability, it’s easier for security operations to use YARA. Analysts can create their own YARA rules or import YARA rules repositories from GitHub. Blue teamers now have an additional layer of detection that automatically correlates suspicious or malicious files with other signals within their SIEM.
