How abuse.ch evolved into an essential threat hunting platform

When Roman Hüssy started abuse.ch, it began as a simple threat research blog. Now, the project offers an open source threat hunting platform to users worldwide.

Cybersecurity has been critical for years, but the the threat landscape has blossomed with the central role technology takes in everything from retail to banking and the remote workforce — plus emerging spaces like the software supply chain.

Researcher Roman Hüssy took an interest in the threat landscape in its nascency, channeling his interest into a threat research blog, dubbed abuse.ch. Fourteen years later, Abuse.ch is now a popular platform used by threat researchers and law enforcement globally, providing several open source services. 

ConversingLabs podcast host Paul Roberts chatted with Hüssy and ReversingLabs Threat Researcher Hrvoje Samardžić for our latest episode about Abuse.ch as a program, as well as YARAify, an Abuse.ch platform for the open sharing and use of YARA rules, an important tool for threat hunters. 

Here are some of the key takeaways from the ConversingLabs podcast.

Not all YARA rules are the same

As Samardžić explains in the ConversingLabs episode, YARA rules function as a pattern matching machine that can find files based on how the rule is written. Anyone can write and share YARA rules with the greater threat hunting community, and they range from being simply written, to being highly complicated and written at the expert level.

See ReversingLabs' open-source YARA rules on GitHub

YARA rules are a great, open source tool for threat researchers to find known and unknown threats, Samardžić said. But not all YARA rules are the same, in terms of quality and purpose. With a constantly growing threat landscape, new YARA rules are created daily, making it difficult to abide by universal classification standards. Plus, it can be tough to scope out the right YARA rules for a threat hunting mission.

Enter YARAify

These challenges are why Hüssy developed YARAify, which Samardžić says is a good platform for testing these rules, as well as for improving and developing them to be of higher quality.

YARAify is meant to serve as a central base for threat researchers, to both share and consume YARA rules, allowing them to stay aligned with the open source fashion of YARA rules in general, Hüssy shared on the podcast.

The platform also has a scan engine, processing thousands of samples per day. YARAify allows threat researchers to hunt for threats on YARAify using their own YARA rules as well. Overall, it is a multifaceted platform that serves as an aid to the global threat hunting community. 

Learn about the evolution of abuse.ch and YARAify in this new ConversingLabs episode, where Paul Roberts asked these experts how YARA rules are created, technical use cases, and details on the future of abuse.ch.