<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">
|

How abuse.ch evolved into an essential threat hunting platform

Carolynn van Arsdale
Blog Author

Carolynn van Arsdale, Cyber Content Creator at ReversingLabs. Read More...

ConversingLabs-episode-6-on-demandWhen Roman Hüssy started abuse.ch, it began as a simple threat research blog. Now, the project offers an open source threat hunting platform to users worldwide.

Cybersecurity has been critical for years, but the the threat landscape has blossomed with the central role technology takes in everything from retail to banking and the remote workforce — plus emerging spaces like the software supply chain.

Researcher Roman Hüssy took an interest in the threat landscape in its nascency, channeling his interest into a threat research blog, dubbed abuse.ch. Fourteen years later, Abuse.ch is now a popular platform used by threat researchers and law enforcement globally, providing several open source services. 

ConversingLabs podcast host Paul Roberts chatted with Hüssy and ReversingLabs Threat Researcher Hrvoje Samardžić for our latest episode about Abuse.ch as a program, as well as YARAify, an Abuse.ch platform for the open sharing and use of YARA rules, an important tool for threat hunters. 

Here are some of the key takeaways from the ConversingLabs podcast.

Not all YARA rules are the same

As Samardžić explains in the ConversingLabs episode, YARA rules function as a pattern matching machine that can find files based on how the rule is written. Anyone can write and share YARA rules with the greater threat hunting community, and they range from being simply written, to being highly complicated and written at the expert level.

[ See ReversingLabs' open-source YARA rules on GitHub ]

YARA rules are a great, open source tool for threat researchers to find known and unknown threats, Samardžić said. But not all YARA rules are the same, in terms of quality and purpose. With a constantly growing threat landscape, new YARA rules are created daily, making it difficult to abide by universal classification standards. Plus, it can be tough to scope out the right YARA rules for a threat hunting mission.

Enter YARAify

These challenges are why Hüssy developed YARAify, which Samardžić says is a good platform for testing these rules, as well as for improving and developing them to be of higher quality.

YARAify is meant to serve as a central base for threat researchers, to both share and consume YARA rules, allowing them to stay aligned with the open source fashion of YARA rules in general, Hüssy shared on the podcast.

The platform also has a scan engine, processing thousands of samples per day. YARAify allows threat researchers to hunt for threats on YARAify using their own YARA rules as well. Overall, it is a multifaceted platform that serves as an aid to the global threat hunting community. 

Learn about the evolution of abuse.ch and YARAify in this new ConversingLabs episode, where Paul Roberts asked these experts how YARA rules are created, technical use cases, and details on the future of abuse.ch. 

Get up to speed on key trends and understand the landscape with The State of Software Supply Chain Security 2024. Plus: Learn about ReversingLabs Spectra Assure for software supply chain security.

More Blog Posts

    Special Reports

    Latest Blog Posts

    The State of Open Source Software Security The State of Open Source Software Security

    Conversations About Threat Hunting and Software Supply Chain Security

    RG: Tampering RG: Tampering

    Glassboard conversations with ReversingLabs Field CISO Matt Rose

    Software Package Deconstruction: Video Conferencing Software Software Package Deconstruction: Video Conferencing Software

    Analyzing Risks To Your Software Supply Chain