Agenda

When we talk about cybercrime, we often portray a hidden, hazardous realm, which is radically different from the one that we live in. In fact, hackers and their cybercrime enterprises exist in the same world as ours and undergo the same social and economic transformations as those which shape our reality.

In blurring the lines between breaches, data theft, ransomware, and cyber fraud, the TrickBot group in particular has almost reached the pinnacle, and almost united the cybercrime territories. However, there was one final challenge separating TrickBot from perfection — the APTs. By integrating the APT approach to its model the group turned its enterprise into a holistic ecosystem of cybercrime, becoming an essentially new phenomenon. In this ecosystem, crimeware and APT are no longer siloed; on the opposite, each type of crime creates added value for the other, each becomes a force multiplier.

Their malware developers work just like legitimate software developers, aiming to automate their work and reduce the time wasted on repetitive tasks wherever possible. That means they create and reuse code across their malware. This has a pay-off for malware hunters: we can learn how to create search YARA rules to detect this kind of code reuse, reducing our workload and detecting them early before breaches happen, too!

For years now, ransomware has had a direct impact on each of us as threat researchers. The almost daily release of new variants of existing code and families, and the evolution of these variants over time, has made detection a real challenge.

During this session Christiaan will take you through the process of how to use a touch of science to analyze ransomware families, extract important information, and write smart Yara-rules.

If you think YARA is limited in use, it's time to think again. YARA has become one of the most flexible and customized security tools used today to solve a wide range of security problems.

During this session Tom Ueltschi will walk through some of his rather unusual uses of YARA over the past 5 years. Whether it's malware classification based on sandbox analysis results in PCAPs and memory strings, detection of Java RAT families from JAR files, or most recently blocking of emails based on header or body patterns. These attack mails are from a threat group that we tracked for over two years dubbed "DESKTOP-group" due to the frequent reuse of desktop-names in message-id headers. They also reused other indicators in mail headers, which lead to successful blocking of some campaign mails without attachments. Tom will share these use cases as part of this session.

Without the syntax to specify complex conditions, YARA would be little more than a reasonably fast multi-string/regex-matching engine.

During this session Hilko Bengen will take a closer look at the executable form that YARA rulesets are compiled to and explore how the programs that make up conditions can be disassembled, decompiled and tweaked.

There's a reason most AV companies don't allow customers to create their own YARA signatures, and it's not because of the technical overhead. They don't want to deal with the customer support from poorly written patterns that kill performance across a company.

During this session Jo Johnson will cover how to avoid the performance pitfalls and the tricks to keep even very generic patterns from running slow. Some of these approaches will be YARA specific, but most will also apply across a number of controls including AV, and IDS\IPS software.

There are times in infosec when the elegant solution is appropriate, and when taking the extra time to test and get it perfect is not only appropriate but necessary. But what about all those other times? What about when you have to solve an immediate problem fast, and you don’t care as long as it works?

During this session Tony Drake will speak to those of us in the trenches where quick and dirty beats elegant and efficient. Tony will quickly go through an introduction to YARA through the lens of what matters to a quick and dirty rule writer, and iterate through a rule that is “good enough”. It isn’t perfect, elegant, or efficient. But it solves the problem.

Writing YARA rules can be easy and fun! But if you're using YARA rules in organizational defenses you probably don't want to write one for every possible type of malicious file. Thanks to the magic of open source and automation you don't have to!

During this session Cooper Quintin will demonstrate how to find large caches of high quality YARA rules on github, and then how to ingest them into your organizational workflow combined with your own custom rules. All to create an unstoppable powerhouse of a yara scanning engine, filling your day with the joy of false positives and triage! As the old saying goes: "many hands make light work."

Quality YARA rules are indeed important, but as we know testing can be a drag on time. So how are Threat Hunters ensuring quality at speed during their daily routines?

During this session Wyatt Roersma will walk through a simple plugin from his web framework, Analyst Unknown Cyber Range (AUCR), that will illustrate how to easily test and run YARA rules against a sample set uploaded to a system. Wyatt will walk through how to use it and how each of you can profit from this simple yet extensive YARA rule testing.

Whether you're new to YARA or have deep expertise, the flexibility of YARA offers an opportunity for all to find new ways to apply it.

During this session Moshe Caplan will strive to satisfy the technical curiosity of both those new to YARA and those with years of YARA experience. Through a technical deep-dive into real-world examples of how YARA is used in a large-scale enterprise, Moshe will review various YARA features via a presentation written entirely in YARA syntax. Everyone who attends will walk away having learned something new - but in a fun and memorable way.

Good threat detection rules are certainly worth their weight in gold. The correct match could mean the difference between a prevented attack and one that compromises high value assets. But proper quality written YARA rules are hard to come by.

During this session Tomislav Pericin will showcase why ReversingLabs has been using YARA as a form of threat detection augmentation for years. Built on the breadth of a10B file repository, ReversingLabs YARA rules yields no known false positives, offering the highest degree of detection confidence in the industry.

Please attend to see a wide range of YARA rules the ReversingLabs Threat Research team has written, their quality assurance process, and how they publish them. You will also witness first-hand an exclusive announcement to the YARA community. Please don't miss it!