Time
3 hours 1 minute
Difficulty
Advanced
CEU/CPE
3

Video Transcription

00:04
all right, so let's talk about tactical sharing,
00:07
and this is sharing that's done on a more short term basis,
00:13
obviously, then strategic sharing, which is longer term.
00:18
But in both cases, the intended audience is an important factor to consider.
00:23
You want to make sure that the information we presented has value within the time frame
00:29
that is considered tactical for your organization.
00:32
Maybe that's, you know, on the order of six months, a year, year and 1/2 2 years.
00:39
It depends who you ask,
00:40
as far as what they think tactical timeframes are because it does, very. It's not a hard and fast definition,
00:48
but your organization probably has a standard which they apply. So that's something you would need thio look into.
00:55
We looked at threat feeds earlier, but some of the trees you can look at
00:59
and
01:00
it should be well understood that there are expected limitations.
01:06
This is a good reason why you might want to have more than one threat feed so that
01:11
you can do some correlation and some verification to make sure that you're getting accurate information because you see the same details being covered consistently among different vendors and different sources of threat until
01:23
this is a really good way, too,
01:26
do some vetting and raise the assurance level. Ultimately,
01:33
one of the tools that can be used to
01:37
help within these threat platforms that we saw earlier or that will see again is Yara signatures, and Europe
01:46
is, as we see here
01:48
away to classify and identify malware
01:53
and let you create descriptions.
01:56
You can use binder patterns to do this, and you can also set up
02:00
different rules.
02:01
So let's have a look at the information on Jara from get up.
02:12
And this is for those of you that aren't familiar with Get how this is an open source
02:15
source code depository.
02:17
A lot of companies use it. A lot of independent developers use its security researchers especially like it,
02:24
and it's a great area to look for tools and
02:30
be able to find all the supporting documentation source code.
02:34
As you can see here, there's quite a bit of information,
02:37
and it tells us what you are is
02:39
So as I mentioned, classifying male wears samples according to their family texture, binary patterns, and you can see the syntax looks fairly simple.
02:50
You define
02:51
a name for the rule, given a description,
02:53
set up some parameters about whether it's
02:58
in the wild. Currently or not. It's a threat level
03:01
and then some different strings, which are
03:04
potentially indicators of compromise or other pieces of
03:08
binary data that could be used to correctly identify this particular item.
03:15
You can see we've got a big list of
03:16
cos they're using Jara
03:23
on the US certain website
03:24
US start dot gov
03:25
since wanna cry has been in the news recently. As of the time of this video being created,
03:31
I thought I would I have a look at the rules to help you detective
03:36
this particular ransomware
03:39
make this a little bigger.
03:46
So we looked at, uh,
03:49
this information on us start down. Couple of earlier,
03:53
we were talking about some of the indications of compromise indicators of compromise
03:59
and then hopefully,
04:01
very hopefully, in fact, the US CERT duck of organization
04:05
has provided some
04:08
Jara signatures,
04:11
and so we can see this pertains to you the want acquire ransomware, get a description,
04:16
uh, metadata about when it was created back in the middle of May.
04:21
There's a hash that's defined
04:24
and several different strings
04:27
all related to this particular malware.
04:30
So using the threat platforms
04:33
in other analysis tools, you can simply create these signatures or download them directly from various websites.
04:42
When we can see the logical conditions means that all of these particular items s zero as 15.
04:48
It must be true
04:49
in order for this to be identified correctly as wanna crime,
04:56
and there's some other metadata
04:58
listed as well.
05:03
So, in a nutshell, that's how Yara can be useful to your organization.
05:09
It's worth exploring to see if your tools support this technology,
05:13
and if so, then you should be able to easily identify
05:16
repositories of Jara signatures for things you may already be interested in
05:20
and for things that are coming out very rapidly. Zero day type situations.

Up Next

Advanced Cyber Threat Intelligence

The Cyber Threat Intelligence (CTI) course is taught by Cybrary SME, Dean Pompilio. It consists of 12 modules and provides a comprehensive introduction to CTI. The subject is an important one, and in addition to discussing tactics and methods, quite a bit of focus is placed on operational matters including the various CTI analyst roles.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor