FireEye Stories

Hunt and Detect Malware With Mandiant Advantage YARA Rules Extension

With millions of new malware samples discovered daily, being prepared with modern, accurate and actionable threat intelligence can mean the difference between a costly security breach and business continuity.

It is for this reason that we are proud of our new Mandiant Advantage YARA rules extension. Now security professionals can download YARA rules from Mandiant Advantage and run them against any YARA compatible tool for identifying and classifying malware based on string or binary pattern matching. This expansion enables incident responders, security operations center (SOC) analysts and detection engineers to search for malware with high accuracy and detect threats proactively.

How Does It Work?

The YARA rules extension within Mandiant Advantage is easy to use and doesn’t require any installation. All subscribers have to do is click on the YARA rules filter within the Mandiant Advantage “Malware” tab and they have access to the nearly 2,000 malware families that contain YARA rules, on top of other intelligence such as characteristics and indicators.

The Mandiant Advantage YARA rules extension can save analysts thousands of hours a year by eliminating a lot of manual code writing that goes into hunting for malware. By simply downloading the YARA rules for any given malware family, analysts can get right to searching across their IT infrastructure for that particular malware family. The rules are ready to be operationalized instantaneously.

Figure 1 shows an example of a YARA rule for BADRABBIT, a type of ransomware.


Figure 1: Example YARA rule for the BADRABBIT malware family

The Power of YARA Rules

When it comes to malware hunting, time is of the essence. The Mandiant Advantage YARA rules extension provides an immediate boost to an analyst’s toolset, allowing them to focus on hunting for threats that could mean trouble for an organization. Now teams can get straight to looking for malicious code and other malware functions and features defined by the YARA rules set, and then begin taking action for remediation as soon as threats are found.

Actionable threat intelligence is the force multiplier that security teams need if they want to address security threats quickly. It empowers them to detect, investigate and respond to the threats that matter most to the organization. When that intelligence is clear, stripped from as much overhead as possible, and directly actionable, teams can act in concert and be successful in their fight against malware and other forms of cyber attacks.

The release of the YARA rules extension is another example of Mandiant’s commitment to giving our subscribers that actionable threat intelligence. Head over to our Mandiant Advantage: Threat Intelligence page to learn more.