YARA, YARA, YARA:
Why Manual Rules Don’t Cut it as Incident Response

Eyal Benishti |
Oct 25, 2019
Incident response, YARA rules

Back in the early days of my cybersecurity career, I worked as a malware analyst. Almost on a daily basis, I wrote and executed YARA rules to try to search and detect multiple instances of the same malware. At the time, it was considered an advanced technique to analyze and identify trends in malware attacks, but today it’s a manual incident response tool for an automated world. 

Not to be confused with a  Bollywood dance of the same name, YARA is an open-source incident response tool used mainly to identify and classify malware based on textual or binary pattern matching and it stands for “Yet Another Recursive Acronym” or “Yes Another Ridiculous Acronym.” 

Take your pick. 

So why are YARA rules still a thing for incident response?

Either way, despite it being a decent tool – albeit tedious and detailed – for researchers,  writing YARA rule after  YARA rule after  YARA rule to try to find all instances of a threat is a lousy way to fight phishing attacks and other types of email security threats. In fact, there’s almost universal agreement that we should ditch YARA rules and regular expressions like it. But they’re still around – in large part because some of the email security solutions on the market rely heavily on manual YARA rule methods for incident response.  

I’ll admit that when I was a junior malware analyst, I relished the challenge and complexity of constantly honing YARA rules to be smarter and smarter. It was a fun challenge. But after a short time, you quickly realize the return on investment simply doesn’t justify all the time spent. 

When it comes to email phishing incident response, traditional methods like writing, refining and executing YARA rules are way too labor-intensive and time-consuming. It’s the modern equivalent of searching for a needle in a haystack. 

1. YARA rules can never keep up with polymorphic phishing attacks.

If you’re using YARA rules, you’re fighting a losing battle against the asymmetrical tactics of cybercriminals. The manual method of searching and clawing back known malicious emails that have landed in the mailbox are no longer sufficient to  identify and stop polymorphic phishing attacks. 

A recent IRONSCALES study found that 42% of email phishing attacks are polymorphic, meaning they undergo at least one permutation. Polymorphism occurs when an attacker implements slight but significant and often random changes – called permutations – to an email’s artifacts, such as content, copy, subject line, sender name or template, after an attack has been deployed. These permutations are designed to bypass email security tools, such as YARA rules and signature-based detection. 

2. Writing a YARA rule will never beat the clock.

Given that it takes less than 82 seconds until the first user click is successfully lured, it’s just a fact that you cannot investigate, cluster, remediate and stop similar threats fast enough with YARA rules. According to Aberdeen research, it only takes 24 hours of phishing attacks before most user clicks occur.

3. You can never write a good-enough YARA rule

That’s because you can’t write a YARA rule for every permutation under the sun without generating multiple false positives. IIWII: It is what it is, as they say. While some argue that artificial intelligence and machine intelligence-powered email security solutions are more prone to false positives, it’s simply not the case. 

You can’t write YARA rules complicated enough to address every possibility or catch every phishing attack. The truth is that AI is far more efficient at analyzing reams of complex data sets to automatically cluster, group and identify threats in real time.

4. YARA rules are high maintenance.

YARA rules invariably tend to pile up. Different team members are often adding and editing these rules. Some of these rules outlive their usefulness and are still used even after the original authors move on to another role. Once the number of YARA rules hits the hundreds, it’s become almost impossible to determine which rule should stay, go or be rewritten – without opening the inbox to risks or increasing the chance of false positives. 

5. Machine intelligence is way more accurate for incident response.

AI solutions like IRONSCALES are constantly getting smarter and improving the accuracy of its findings. It’s what we call the power of closed feedback loops. By continuously feeding machine intelligence from multiple internal and external sources, email security can adapt and get smarter by predicting, preventing, detecting and responding to incidents in real time. 

YARA rules simply aren’t up to the task of the incident response needed in today’s email attack landscape. Learn more about how an automated approach can help you reduce the time from phishing attack detection to response to just seconds.  Download the Seven Essentials of a Modern Email Security Platform.


SUBSCRIBE TO OUR BLOG