Resource Smart YARA Scans: Saving CPU and Time with osquery

As attackers continually evolve their tactics, the arsenal of tools at hand for defenders needs to respond to attacker complexity while still enabling day-to-day business to happen.

When it comes to detecting malware, the arms race between attackers and defenders is certainly nothing new. The once seemingly simple battle between nuisance script kiddie worms and simple anti-virus software evolved over time into a much more complex and layered approach towards stopping powerful weapons against organizations to extort, incur damages, and steal intellectual property. For a long time now, malware-detection technologies have become more sophisticated as malware works harder than ever to gain access to a target machine and then conceal its presence as it runs.

To detect malware, defenders need a strategy and tools that can recognize it, even if it has been disguised! In the past, defenders have identified malware by it’s unique filehash signature (typically an MD5, SHA1, or SHA256 checksum). Colloquially you can think of a malware’s filehash signature like a fingerprint — it’s a unique identifier derived from the entire contents of a file, that reveals the malware’s true malicious nature. A downside of filehash based malware detection is that attackers can easily disguise their malware by adding blank lines or comments to their code so new variants have a totally new filehash, rendering detection with old filehash useless!

More advanced detection methods do not calculate a single signature from the entire file (something that is too easily changed), instead they use multiple signatures each of (Read more...)