Sweeping your environment for finding the evil
Almost all cases start with one or more leads. If there are too many leads, the investigator might need to validate all their leads one by one, which is very time-consuming. Or, if there are too few leads, investigators don't have enough information to continue their case. Both situations are not good for the investigation and can impact the speed of resolution.
Triage is the process of pritiorizing the evidence that they’ll be analyzing. However, prioritizing this evidence is not a straightforward or easy job. An Investigator needs lots of data, leads, or experience to do it well. So, they generally use known attack indicators, called the IOC indicator of the compromise. An indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion [
Indicator of compromise ].
An investigator or analyst will generally scan all system data or part of it to discover these IOCs. When they see a match, it typically means that those systems are related to a specific attack type and need to be investigated first. Investigators use YARA and Sigma rules for these scans. Investigators can define and scan IOCs by using YARA and Sigma rules.
Binalyze AIR DFIR Suite provides two different tools to the investigators for triage, which, as stated, are YARA and Sigma. These tools generally scan endpoints to find specific data using IOC (Indicator of Compromise).
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a. rule, consists of a set of strings and a boolean expression that determine its logic.
Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others. Sigma is for log files what Snort is for network traffic and YARA is for files.
Binalyze AIR has a YARA and Sigma repository, investigators can use a built-in YARA and Sigma editor to develop and validate their rules. They can also upload Sigma and Yara rules to their rule repository. Investigators can then scan their endpoints with those rules easily and remotely. The Triage procedure flow is depicted below.