all right, so let's talk about tactical sharing,
and this is sharing that's done on a more short term basis,
obviously, then strategic sharing, which is longer term.
But in both cases, the intended audience is an important factor to consider.
You want to make sure that the information we presented has value within the time frame
that is considered tactical for your organization.
Maybe that's, you know, on the order of six months, a year, year and 1/2 2 years.
It depends who you ask,
as far as what they think tactical timeframes are because it does, very. It's not a hard and fast definition,
but your organization probably has a standard which they apply. So that's something you would need thio look into.
We looked at threat feeds earlier, but some of the trees you can look at
it should be well understood that there are expected limitations.
This is a good reason why you might want to have more than one threat feed so that
you can do some correlation and some verification to make sure that you're getting accurate information because you see the same details being covered consistently among different vendors and different sources of threat until
this is a really good way, too,
do some vetting and raise the assurance level. Ultimately,
one of the tools that can be used to
help within these threat platforms that we saw earlier or that will see again is Yara signatures, and Europe
away to classify and identify malware
and let you create descriptions.
You can use binder patterns to do this, and you can also set up
So let's have a look at the information on Jara from get up.
And this is for those of you that aren't familiar with Get how this is an open source
source code depository.
A lot of companies use it. A lot of independent developers use its security researchers especially like it,
and it's a great area to look for tools and
be able to find all the supporting documentation source code.
As you can see here, there's quite a bit of information,
and it tells us what you are is
So as I mentioned, classifying male wears samples according to their family texture, binary patterns, and you can see the syntax looks fairly simple.
a name for the rule, given a description,
set up some parameters about whether it's
in the wild. Currently or not. It's a threat level
and then some different strings, which are
potentially indicators of compromise or other pieces of
binary data that could be used to correctly identify this particular item.
You can see we've got a big list of
cos they're using Jara
on the US certain website
since wanna cry has been in the news recently. As of the time of this video being created,
I thought I would I have a look at the rules to help you detective
this particular ransomware
make this a little bigger.
So we looked at, uh,
this information on us start down. Couple of earlier,
we were talking about some of the indications of compromise indicators of compromise
very hopefully, in fact, the US CERT duck of organization
and so we can see this pertains to you the want acquire ransomware, get a description,
uh, metadata about when it was created back in the middle of May.
There's a hash that's defined
and several different strings
all related to this particular malware.
So using the threat platforms
in other analysis tools, you can simply create these signatures or download them directly from various websites.
When we can see the logical conditions means that all of these particular items s zero as 15.
in order for this to be identified correctly as wanna crime,
and there's some other metadata
So, in a nutshell, that's how Yara can be useful to your organization.
It's worth exploring to see if your tools support this technology,
and if so, then you should be able to easily identify
repositories of Jara signatures for things you may already be interested in
and for things that are coming out very rapidly. Zero day type situations.