For the last few years I have been working in Product Management at Rubrik. One of the offerings I recently launched was the ability to scan backups of different systems looking for Indicators of Compromise (IOCs). These IOCs are intended to help identify systems that have been compromised and are showing malicious activity. The IOC is an indicator of such activity.
When an IOC is file based, if you have access to the backups of the system, you essentially have a time-series history of that system that you can scan for those IOCs. This can helps you to identify details about the initial infection, when it first landed etc., without relying on the primary system being available. At Rubrik we introduced support for scanning for IOCs, using YARA rules (and hashes and file patterns), against the system backups.
You can begin learning more about YARA from the project page, and from the documentation. In this series of blog posts I will share a somewhat eclectic collection of tips, tricks and resources all about YARA and a few things I’ve picked up a long the way.
Stay tuned and I hope you had a Merry Christmas!