Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Kaspersky
The Catcher in the YARA — predicting black swans
Message
<blockquote data-quote="Bot" data-source="post: 902675" data-attributes="member: 52014"><p>It’s been a long, long time since humanity has had a year like this one. I don’t think I’ve ever known a year with such a high concentration of black swans of various types and forms. And I don’t mean the kind <a href="https://en.wikipedia.org/wiki/Black_swan" target="_blank">with feathers</a>. I’m talking about unexpected events with far-reaching consequences, as per the <a href="https://en.wikipedia.org/wiki/Black_swan_theory" target="_blank">theory</a> of <a href="https://en.wikipedia.org/wiki/Nassim_Nicholas_Taleb" target="_blank">Nassim Nicholas Taleb</a>, published in 2007 in his book <em><a href="https://en.wikipedia.org/wiki/The_Black_Swan:_The_Impact_of_the_Highly_Improbable" target="_blank">The Black Swan: The Impact of the Highly Improbable</a></em>. One of the main tenets of the theory is that, with hindsight, surprising events that have already occurred seem obvious and predictable; however, before they occur, no one predicts them.</p><p></p><p>Example: this ghastly virus that’s had the world in lockdown since March. It turns out there’s a <a href="https://en.wikipedia.org/wiki/Coronaviridae" target="_blank">whole extended family</a> of <em>coronaviridae</em> — several dozen of them — and new ones are found regularly. Cats, dogs, birds, and bats all get them. Humans get them. Some cause common colds. Others manifest … differently. So, surely, we need to develop vaccines for them as we have for other deadly viruses such as smallpox, polio, and others. Sure, but having a vaccine doesn’t always help a great deal. Look at the flu — still no vaccine that inoculates folks after how many centuries? And anyway, even to start developing a vaccine you need to know what you’re looking for, and that is apparently more art than science.</p><p></p><p>So, why am I telling you this? What’s the connection to … well, it’s inevitably gonna be either cybersecurity or exotic travel, right?! Today, it’s the former.</p><p></p><p>Now, one of the most dangerous cyberthreats in existence is <a href="https://eugene.kaspersky.com/2012/05/25/the-dangers-of-exploits-and-zero-days-and-their-prevention/" target="_blank">zero-days</a> — rare, unknown (to cybersecurity folks et al.) vulnerabilities in software that can do oh-my-<em>grotesque</em> large-scale awfulness and damage — but they tend to remain undiscovered up until (or sometimes after) the moment they’re exploited.</p><p></p><p>However, cybersecurity experts have ways of dealing with ambiguity and predicting black swans. In this post I want to talk about one such means: <a href="https://en.wikipedia.org/wiki/YARA" target="_blank">YARA</a>.</p><p></p><p>Briefly, YARA aids malware research and detection by identifying files that meet certain conditions and providing a rules-based approach to creating descriptions of malware families based on textual or binary patterns. (Ooh, that sounds complicated. Read on for clarification.) Thus, it’s used to search for similar malware by identifying patterns. The aim is to be able to say that certain malicious programs look like they were made by the same folks, with similar objectives.</p><p></p><p>OK, let’s turn to another metaphor — like a black swan, another water-based one: the sea.</p><p></p><p>Let’s say your network is the ocean, which is full of thousands of kinds of fish, and you’re an industrial fisherman out on the ocean in your ship casting off huge drift nets to catch the fish — but only certain breeds of fish (malware created by particular hacker groups) are interesting to you. Now, the drift net is special. It has special compartments, and only fish of a particular breed (malware characteristics) get caught in each compartment.</p><p></p><p>Then, at the end of the shift, what you have is a lot of fish, all compartmentalized, some of which are relatively new, never-before-seen fish (new malware samples) about which you know practically nothing. But if they’re in a certain compartment — say, “Looks like Breed [hacker group] X” or “Looks like Breed [hacker group] Y.”</p><p></p><p>Here’s a <a href="https://www.wired.com/2016/01/hacking-team-leak-helps-kaspersky-researchers-find-zero-day-exploit/" target="_blank">case</a> that illustrates the fish/fishing metaphor. In 2015, our YARA guru and head of <a href="https://www.crn.com/news/storage/300075826/what-is-kasperskys-great.htm" target="_blank">GReAT</a>, Costin Raiu, went full-on cyber-Sherlock to find an exploit in Microsoft’s Silverlight software. You really should read that article, but, briefly, what Raiu did was carefully examine certain hacker-leaked e-mail correspondence to assemble a YARA rule from practically nothing, but that went on to help find the exploit and thus protect the world from mega-trouble. (The correspondence was from an Italian firm called Hacking Team — hackers hacking hackers!)</p><p></p><p>So, about these YARA rules…</p><p></p><p>We’ve been teaching the art of creating YARA rules for years. The cyberthreats that YARA helps uncover are rather complex, that’s why we always ran the courses in person — offline — and for only a narrow group of top cybersecurity researchers. Of course, since March, offline training has been tricky because of lockdown; however, the need for education has hardly gone away, and indeed we’ve seen no dip in interest in our courses.</p><p></p><p>That’s only natural: Cyber-baddies continue to think up ever-more-sophisticated attacks — <a href="https://eugene.kaspersky.com/2020/05/29/the-worlds-cyber-pulse-during-the-pandemic/" target="_blank">even more so</a> under lockdown. Accordingly, keeping our specialized know-how about YARA to ourselves during lockdown would have been just plain wrong. Therefore, we’ve (1) transferred our training format from offline to online, and (2) made it accessible to everyone. It’s not free, but for such a course at such a level (the very highest), the price is very competitive and market-level.</p><p></p><p><a href="https://xtraining.kaspersky.com/" target="_blank">Introducing</a>:</p><p></p><p><a href="https://media.kasperskydaily.com/wp-content/uploads/sites/92/2020/09/01045737/cybersecurity-expert-training-scr1.jpg" target="_blank"><img src="https://media.kasperskydaily.com/wp-content/uploads/sites/92/2020/09/01045737/cybersecurity-expert-training-scr1.jpg" alt="Hunt APTs with YARA like a GReAT ninja" class="fr-fic fr-dii fr-draggable " style="" /></a></p><p></p><p>What else?</p><p></p><p>Ah, yes.</p><p></p><p>Now, given the ongoing virus-related troubles the world over, we’re continuing our assistance to those on the front lines. We started helping out at the start of the whole corona thing by giving <a href="https://www.kaspersky.com/blog/protecting-healthcare-organizations/34269/" target="_blank">free licenses to healthcare organizations</a>. Now we’re adding to that helping out a variety of nonprofit and nongovernmental organizations fighting for rights in various causes or focusing on making cyberspace a better place (the full list is <a href="https://www.kaspersky.com/about/press-releases/2020_from-the-comfort-of-your-own-couch-kaspersky-great-shares-expertise-on-threat-hunting-with-yara-in-new-online-training-course" target="_blank">here</a>). For them, our YARA training will be free.</p><p></p><p>Why? Because NGOs work with very sensitive information that can be <a href="https://technode.com/2019/10/09/china-hackers-minority-groups-ngo/" target="_blank">hacked in targeted attacks</a>, and not all NGOs can afford the luxury of a department of IT experts.</p><p></p><p><a href="https://media.kasperskydaily.com/wp-content/uploads/sites/92/2020/09/01045746/cybersecurity-expert-training-scr2.jpg" target="_blank"><img src="https://media.kasperskydaily.com/wp-content/uploads/sites/92/2020/09/01045746/cybersecurity-expert-training-scr2.jpg" alt="Cybersecurity online training: Hands-on with a YARA rule" class="fr-fic fr-dii fr-draggable " style="" /></a></p><p></p><p>A quick run-through of what’s included in the course:</p><p></p><p>100% online, self-paced training. You can do the course intensely in a few evenings or spread it out over a month.</p><p></p><p>A combination of both theory and hands-on tasks. There’s a virtual lab for training in writing rules and searching for malware samples in our collection.</p><p></p><p>Practical exercises based on examples of real cyberespionage attacks.</p><p></p><p>A module about the art of looking for something about which you’ve no precise knowledge, when intuition tells you cyberevil is lurking somewhere but you don’t know where or which cyberevil in particular.</p><p></p><p>A certificate on completion confirming your new status as a YARA ninja. As previous graduates have told us, it really does help in their career.</p><p></p><p><a href="https://media.kasperskydaily.com/wp-content/uploads/sites/92/2020/09/01045754/cybersecurity-expert-training-scr3.jpg" target="_blank"><img src="https://media.kasperskydaily.com/wp-content/uploads/sites/92/2020/09/01045754/cybersecurity-expert-training-scr3.jpg" alt="Cybersecurity online training exercise: BlueTraveller" class="fr-fic fr-dii fr-draggable " style="" /></a></p><p></p><p>So, there you have it, folks: another extremely useful potential string in your bow for fighting highly sophisticated cyberthreats. Meanwhile, it’s business as usual here at <em>K</em>, where we continue our cyberdetective work so we’ll be able to share still more of our very latest know-how and practical experience in fighting the good fight.</p><p></p><p><a href="https://www.kaspersky.com/blog/cybersecurity-expert-training/36887/" target="_blank">Source</a></p></blockquote><p></p>
[QUOTE="Bot, post: 902675, member: 52014"] It’s been a long, long time since humanity has had a year like this one. I don’t think I’ve ever known a year with such a high concentration of black swans of various types and forms. And I don’t mean the kind [URL='https://en.wikipedia.org/wiki/Black_swan']with feathers[/URL]. I’m talking about unexpected events with far-reaching consequences, as per the [URL='https://en.wikipedia.org/wiki/Black_swan_theory']theory[/URL] of [URL='https://en.wikipedia.org/wiki/Nassim_Nicholas_Taleb']Nassim Nicholas Taleb[/URL], published in 2007 in his book [I][URL='https://en.wikipedia.org/wiki/The_Black_Swan:_The_Impact_of_the_Highly_Improbable']The Black Swan: The Impact of the Highly Improbable[/URL][/I]. One of the main tenets of the theory is that, with hindsight, surprising events that have already occurred seem obvious and predictable; however, before they occur, no one predicts them. Example: this ghastly virus that’s had the world in lockdown since March. It turns out there’s a [URL='https://en.wikipedia.org/wiki/Coronaviridae']whole extended family[/URL] of [I]coronaviridae[/I] — several dozen of them — and new ones are found regularly. Cats, dogs, birds, and bats all get them. Humans get them. Some cause common colds. Others manifest … differently. So, surely, we need to develop vaccines for them as we have for other deadly viruses such as smallpox, polio, and others. Sure, but having a vaccine doesn’t always help a great deal. Look at the flu — still no vaccine that inoculates folks after how many centuries? And anyway, even to start developing a vaccine you need to know what you’re looking for, and that is apparently more art than science. So, why am I telling you this? What’s the connection to … well, it’s inevitably gonna be either cybersecurity or exotic travel, right?! Today, it’s the former. Now, one of the most dangerous cyberthreats in existence is [URL='https://eugene.kaspersky.com/2012/05/25/the-dangers-of-exploits-and-zero-days-and-their-prevention/']zero-days[/URL] — rare, unknown (to cybersecurity folks et al.) vulnerabilities in software that can do oh-my-[I]grotesque[/I] large-scale awfulness and damage — but they tend to remain undiscovered up until (or sometimes after) the moment they’re exploited. However, cybersecurity experts have ways of dealing with ambiguity and predicting black swans. In this post I want to talk about one such means: [URL='https://en.wikipedia.org/wiki/YARA']YARA[/URL]. Briefly, YARA aids malware research and detection by identifying files that meet certain conditions and providing a rules-based approach to creating descriptions of malware families based on textual or binary patterns. (Ooh, that sounds complicated. Read on for clarification.) Thus, it’s used to search for similar malware by identifying patterns. The aim is to be able to say that certain malicious programs look like they were made by the same folks, with similar objectives. OK, let’s turn to another metaphor — like a black swan, another water-based one: the sea. Let’s say your network is the ocean, which is full of thousands of kinds of fish, and you’re an industrial fisherman out on the ocean in your ship casting off huge drift nets to catch the fish — but only certain breeds of fish (malware created by particular hacker groups) are interesting to you. Now, the drift net is special. It has special compartments, and only fish of a particular breed (malware characteristics) get caught in each compartment. Then, at the end of the shift, what you have is a lot of fish, all compartmentalized, some of which are relatively new, never-before-seen fish (new malware samples) about which you know practically nothing. But if they’re in a certain compartment — say, “Looks like Breed [hacker group] X” or “Looks like Breed [hacker group] Y.” Here’s a [URL='https://www.wired.com/2016/01/hacking-team-leak-helps-kaspersky-researchers-find-zero-day-exploit/']case[/URL] that illustrates the fish/fishing metaphor. In 2015, our YARA guru and head of [URL='https://www.crn.com/news/storage/300075826/what-is-kasperskys-great.htm']GReAT[/URL], Costin Raiu, went full-on cyber-Sherlock to find an exploit in Microsoft’s Silverlight software. You really should read that article, but, briefly, what Raiu did was carefully examine certain hacker-leaked e-mail correspondence to assemble a YARA rule from practically nothing, but that went on to help find the exploit and thus protect the world from mega-trouble. (The correspondence was from an Italian firm called Hacking Team — hackers hacking hackers!) So, about these YARA rules… We’ve been teaching the art of creating YARA rules for years. The cyberthreats that YARA helps uncover are rather complex, that’s why we always ran the courses in person — offline — and for only a narrow group of top cybersecurity researchers. Of course, since March, offline training has been tricky because of lockdown; however, the need for education has hardly gone away, and indeed we’ve seen no dip in interest in our courses. That’s only natural: Cyber-baddies continue to think up ever-more-sophisticated attacks — [URL='https://eugene.kaspersky.com/2020/05/29/the-worlds-cyber-pulse-during-the-pandemic/']even more so[/URL] under lockdown. Accordingly, keeping our specialized know-how about YARA to ourselves during lockdown would have been just plain wrong. Therefore, we’ve (1) transferred our training format from offline to online, and (2) made it accessible to everyone. It’s not free, but for such a course at such a level (the very highest), the price is very competitive and market-level. [URL='https://xtraining.kaspersky.com/']Introducing[/URL]: [URL='https://media.kasperskydaily.com/wp-content/uploads/sites/92/2020/09/01045737/cybersecurity-expert-training-scr1.jpg'][IMG alt="Hunt APTs with YARA like a GReAT ninja"]https://media.kasperskydaily.com/wp-content/uploads/sites/92/2020/09/01045737/cybersecurity-expert-training-scr1.jpg[/IMG][/URL] What else? Ah, yes. Now, given the ongoing virus-related troubles the world over, we’re continuing our assistance to those on the front lines. We started helping out at the start of the whole corona thing by giving [URL='https://www.kaspersky.com/blog/protecting-healthcare-organizations/34269/']free licenses to healthcare organizations[/URL]. Now we’re adding to that helping out a variety of nonprofit and nongovernmental organizations fighting for rights in various causes or focusing on making cyberspace a better place (the full list is [URL='https://www.kaspersky.com/about/press-releases/2020_from-the-comfort-of-your-own-couch-kaspersky-great-shares-expertise-on-threat-hunting-with-yara-in-new-online-training-course']here[/URL]). For them, our YARA training will be free. Why? Because NGOs work with very sensitive information that can be [URL='https://technode.com/2019/10/09/china-hackers-minority-groups-ngo/']hacked in targeted attacks[/URL], and not all NGOs can afford the luxury of a department of IT experts. [URL='https://media.kasperskydaily.com/wp-content/uploads/sites/92/2020/09/01045746/cybersecurity-expert-training-scr2.jpg'][IMG alt="Cybersecurity online training: Hands-on with a YARA rule"]https://media.kasperskydaily.com/wp-content/uploads/sites/92/2020/09/01045746/cybersecurity-expert-training-scr2.jpg[/IMG][/URL] A quick run-through of what’s included in the course: 100% online, self-paced training. You can do the course intensely in a few evenings or spread it out over a month. A combination of both theory and hands-on tasks. There’s a virtual lab for training in writing rules and searching for malware samples in our collection. Practical exercises based on examples of real cyberespionage attacks. A module about the art of looking for something about which you’ve no precise knowledge, when intuition tells you cyberevil is lurking somewhere but you don’t know where or which cyberevil in particular. A certificate on completion confirming your new status as a YARA ninja. As previous graduates have told us, it really does help in their career. [URL='https://media.kasperskydaily.com/wp-content/uploads/sites/92/2020/09/01045754/cybersecurity-expert-training-scr3.jpg'][IMG alt="Cybersecurity online training exercise: BlueTraveller"]https://media.kasperskydaily.com/wp-content/uploads/sites/92/2020/09/01045754/cybersecurity-expert-training-scr3.jpg[/IMG][/URL] So, there you have it, folks: another extremely useful potential string in your bow for fighting highly sophisticated cyberthreats. Meanwhile, it’s business as usual here at [I]K[/I], where we continue our cyberdetective work so we’ll be able to share still more of our very latest know-how and practical experience in fighting the good fight. [url="https://www.kaspersky.com/blog/cybersecurity-expert-training/36887/"]Source[/url] [/QUOTE]
Insert quotes…
Verification
Post reply
Top