YARA Rule Processing in Magnet AXIOM Cyber for community-driven identification of malware and other indicators of compromise
With over 300,000 new instances of malware being detected every day, it is virtually impossible for organizations or antivirus tools to independently keep pace with cybersecurity threats. YARA provides a platform for the cybersecurity community to work together and identify the very latest malware threats.
But What is YARA?
YARA is an open-source tool, commonly referred to as “The pattern matching Swiss knife for malware researchers.” Originally developed by Victor M. Alvarez, YARA uses rule-based approach to characterize malware families based on textual or binary patterns.
As for the actual meaning of the acronym? Alvarez left it open with two options: “YARA is an acronym for: YARA: Another Recursive Acronym, or Yet Another Ridiculous Acronym. Pick your choice.”
YARA Rule Processing in AXIOM Cyber
Once your data has been processed, positive matches for the selected YARA rules are included in an enumerated artifact summary of all detected threats. A deeper examination of each match can be done using the hex card view, which indicates where in the file a match was detected.
YARA matches can also be combined with the Connections and Timeline capabilities of AXIOM to quickly identify the source of the compromise and develop a remediation strategy.
Adding YARA Rules
A set of common YARA rules have been included with AXIOM Cyber and you can easily add any additional rules you might have. As malware threats emerge, new YARA rules can be added to the AXIOM Cyber processing engine through the configuration menu. Because these rules come from the frontlines of the cybersecurity community, they often provide the fastest (or only) means of identifying the very latest threats.
To help keep your YARA rules current with the latest versions, we have added the option to paste a YARA rules Git repository link into AXIOM Cyber to add all of the rules in that repository automatically. Once you add a YARA Git repository to your set of rules in AXIOM Cyber, you can prompt a sync to the repository at any time to update the rules and add the latest additions.
Custom YARA rules can also be created to identify unique threats targeting your organization. The YARA syntax resembles the commonly used C language and a guide for writing rules is included in the YARA documentation.
Get Magnet AXIOM Cyber Today!
We are extremely excited about the incident response capabilities that YARA rule processing brings to AXIOM Cyber and the flexibility it provides to identify malware and other IOCs.
If you want to try AXIOM Cyber for yourself, request a free trial today!