Malware Hunt: Demystifying the Invisible Threats

Module 3/3: Exploring Signature-Based Intrusion Detection: YARA and Snort

As you have learned how to demystify the behaviour of the malware in the first two modules of this course, you may want to write signatures to hunt similar malware on other hosts or want to detect/block malware command-and-control traffic at the firewall level. This module of the course will cover popular tools used for signature-based intrusion detection, but they have slightly different purposes and approaches:

• Yara – Allows you to create and define custom rules (signatures) to identify patterns within files or processes. These signatures are written in a human-readable and straightforward syntax. Yara is particularly effective for detecting specific characteristics, behaviour, or patterns of known malware or other targeted files.

Identifying known malware: Yara is effective in detecting the presence of known malware families by matching their unique patterns.

Hunting for specific behaviour: You can create Yara rules to identify specific behaviour, such as suspicious file names or registry keys.

Indicator of Compromise (IOC) scanning: Yara can be used to scan systems for known IOCs related to recent security breaches or threat intelligence.

• Snort – It is an open-source network intrusion detection and prevention system. Unlike Yara, which primarily focuses on file-based analysis, Snort is designed to monitor network traffic and detect malicious activity in real-time. It uses a combination of predefined rules (known as Snort rules) and customizable rules to identify specific patterns or characteristics of known network-based attacks.
• Network intrusion detection: Snort can be deployed on network devices, such as firewalls or routers, to monitor traffic and detect attempts at unauthorized access or attacks.
• Network traffic analysis: It helps in identifying unusual patterns in network traffic, which may indicate malicious behavior like port scans or brute-force attacks.
• Prevention and response: Snort can be integrated with other security systems to block malicious traffic and facilitate incident response.

Course instructor: Saurabh Sharma, Kaspersky

About the instructor: Saurabh Sharma is a senior security researcher at the Global Research and Analysis Team (GReAT) in Kaspersky. He contributes to the GReAT team’s mission by helping to investigate the most active and advanced threat actors, targeted attacks, attacker tools, and more. Saurabh’s professional passions include reverse engineering malware, as well as uncovering, tracking, and analyzing APT campaigns, and providing technical reports. Saurabh has previously spoken at various international infosec conferences in India and abroad.

This module will have prerequisites from Module 2 and other tools/techniques as communicated during Module 2/3.

Registration is required to attend. It is a free course (courtesy: Kaspersky Academic initiative)