Threat Hunting at speed and scale

Almost every case starts with one or more leads. If there are too many leads, the investigator might need to validate all their leads one by one, which is very time-consuming. Or, if there are too few leads, investigators don't have enough information to continue their case. Both situations are not good for the investigation and can impact the speed of resolution.

An investigator or analyst will generally scan all system data or part of it to discover these IOCs. When they see a match, it typically means that those systems are related to a specific attack type and need to be investigated first. Investigators use YARA, osquery and Sigma rules for these scans. Investigators can define and scan IOCs by using AIR's built in YARA, osquery and Sigma template rules or editors.

Binalyze AIR DFIR Suite provides three different tools to the investigators for triage, which, as stated, are YARA, osquery and Sigma. These tools generally scan assets to find specific data using IOC (Indicator of Compromise).

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a. rule, consists of a set of strings and a boolean expression that determine its logic.

Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others. Sigma is for log files what Snort is for network traffic and YARA is for files.

osquery, an open-source tool, employs SQL-like queries to extract intricate system data. It offers cross-platform compatibility, making it ideal for real-time system monitoring, security analysis, and compliance assessments. Security professionals often use it to detect vulnerabilities, monitor system changes, and ensure adherence to security standards.

Binalyze AIR has a YARA, osquery and Sigma repository, investigators can use a built-in YARA, osquery and Sigma editor to develop and validate their rules. They can also upload these rules to their rule repository. Investigators can then scan their endpoints with those rules easily and remotely. The Triage procedure flow is depicted below.

NB: Character limitation for single triage rule

  • To prevent the browser becoming unresponsive we have limited the maximum to 350K of characters in a single Triage Rule.

Tagging Triage Rules

Triage rules in the AIR console can now be associated with Tags, which help in organizing rules and filtering when required. This enhancement aids in managing the rules more efficiently and allows for streamlined searches and better organization within the console.

When creating a Triage Rule the the UI allows the user to filter existing rules by their associated Tags.

The Triage Rule Library now includes Preset Filters in the secondary menu, allowing users to organize rules hierarchically. By incorporating a colon in their tags, users can structure and categorize rules more efficiently. For example, the tag "APT26:Tim:hashset" helps organize related rules under a structured hierarchy, enhancing navigation and accessibility in the library.

Last updated