Skip Navigation
BlackBerry Blog

Cyber Threat Hunting: 2 Powerful Analysis Tools (Video)

Jupyter notebooks and YARA rules are two very powerful data analysis and visualization tools for identifying new cyberattack campaigns and threat actors.

It can be challenging to hunt for threats effectively — finding those new implants and new techniques — especially if you are dealing with terabytes of data or massive numbers of files. Getting past these obstacles is the focus of this BlackBerry LIVE episode.

In the video, BlackBerry Vice President of Threat Research & Intelligence Ismael Valenzuela, and Most Distinguished Threat Researcher Dmitry Bestuzhev, explain how to successfully use Jupyter notebooks and YARA rules.

Watch the BlackBerry LIVE Broadcast, below.

Here's a free data analysis tool, Valenzuela’s personal Jupyter Notebooks.

YARA: The Threat Hunter’s Handy Pattern-Matching ‘Omni-Tool’

According to the NCCIC, YARA is a popular open-source, multi-platform tool that provides a mechanism to identify code similarities between data sets within a specific structural or other pattern. It works on Windows®, Linux®, or Mac® operating systems, and can be run over network packets or practically any data – like memory for example. The signature files support the documentation of both byte sequences and string matches that occur in the malware, as well as logic operators that support robust and precise conditions to reduce the incidence of receiving false positives during activities – such as detection or hunting.

Three key takeaways about YARA from this episode are:

  • A practical approach to analyzing data with YARA is with at least two different set rules. For example, use one rule for hunting, and the second set of curated rules for regular scanning and detection of campaigns of known threat actors.

  • YARA can be used to analyze the contents of on-disk memory, network traffic, or incoming emails.

  • There are many methods of hunting with YARA, including by “Hash” using file type and file size, or by “Timestamp,” “Language” or “Entropy Level,” such as when looking for files with suspiciously high obfuscation.

Hunting with YARA: Examples

Figure 1 – Using YARA to hunt by “Hash”
Figure 2 – Using YARA to hunt by “Timestamp”
Figure 3 – Using YARA to hunt by “Language”
David Steinberg-Zwirek

About David Steinberg-Zwirek

David Steinberg-Zwirek is an Editorial Intern at BlackBerry.