fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago • verified publisher icon fleetdm

🎸 Fleet to set/important YARA rules like osquery query packs

Open zayhanlon opened this issue 1 year ago • 8 comments

User story
As a detection & response engineers,
I want to deploy YARA rules to agents using the Fleet server
so don't have to write rules to disk (too large of scope and too slow) or host rules on a separate webserver (can't be private).

Scope: Any engineering (including outside detection & response team) can read these rules because they live in a monorepo. If an engineer's account get's compromised then they can read these rules.

Too slow: It takes months to get these rules reviewed.

Can't be private: Needs to be private.

Ideal workflow: Customer would have a repo of YARA rules that only detection & response team can access. Deploy these per team (production servers and workstations).

Some tables are blocked by not having YARA

Future: How to displace CrowdStrike? Event monitoring. osquery evented tables aren't as good and performant as CrowdStrike.

Problem

Background:

  • Currently not using YARA scanning at all today
  • One option - put the rules on disk, it would take forever. If there was an incident and they needed to add new rules, that timeline wouldn’t work. Not a tenable option.
  • Another option - pull from a web server, but then it would need to be publicly accessible. Then attackers could then see what their rules are.
  • DART team currently has a task to build a YARA scanning capability. Osquery provides this capability but the methods to implement are not ideal for our environment

Potential solutions

  1. Build the feature for Fleet to be given a set of YARA rules like Osquery query packs. Next, build the feature for Osquery to pull those Osquery rules from the TLS server.
  2. Where would this live in Fleet?
  • Same as query packs
  • Would be able to be configured as ‘YARA events’ scheduled to run at a recurring configurable interval of frequency
  1. Benefit to them: YARA rules would be the method of distributing out the rule and detecting the presence of new malware signatures out in their environment
  • Crowdstrike doesn’t support YARA rules today
  • Would make it easier for other DART teams to use this feature (on a moments notice, be able to write a rule for new

zayhanlon avatar Nov 02 '23 17:11 zayhanlon