Recent research from Insikt Group, Recorded Future’s threat research division, has shone a light on the alarming potential of large language models (LLMs) to fuel the development of self-augmenting malware capable of evading YARA rules (a collection of guidelines used to detect and categorise malware).
YARA rules are publicly available to help defenders improve their security measures. However, with this information easily available, threat actors can exploit it.
Armed with this knowledge, threat actors, specifically malware developers, can abuse AI by creating self-augmenting malware code capable of evading string based YARA rules, effectively lowering detection rates.
Although current generative AI models face challenges in creating syntactically correct code, the future of using AI to evade detection by YARA rules will likely involve increasingly sophisticated and dynamic evasion techniques. To mitigate against this risk, organisations need to adopt stealthier detection methods.
5 Measures to Defend Against Self-Augmenting Malware
Organisations must adopt a proactive, adaptive, and threat-led approach to achieve future-ready cyber resilience. It is essential that security operations teams continually update their strategies and tools to stay ahead of potential threats. Below are some recommendations that can support this approach and help security teams to remain ahead of the threat-curve.
1. Combine Multiple Detection Techniques
Instead of relying solely on YARA rules for detecting malware, we recommend integrating complex YARA rules with other malware detection tools, such as Sigma and Snort. Utilising a defence-in-depth strategy, that incorporates various detection techniques, including signature-based detection, heuristic analysis, anomaly detection, and ML, to enhance the capability to identify and preemptively thwart malicious activities effectively.
2. Dynamic Analysis
Employing dynamic analysis techniques to analyse the behaviour of potentially malicious files in controlled environments is key. This may involve running the code in a sandbox or isolated virtual machine to observe its behaviour and detect any malicious activities that might not be caught by static analysis such as YARA rules.
3. Behaviour Analysis
Security teams should focus their efforts on analysing the behaviour of network traffic rather than looking for specific signatures. Behaviour analysis tools, such as Endpoint Detection and Response (EDR) and Network Detection and Response (NDR), can help identify anomalies and suspicious activities that may indicate the presence of malware, even if it has been modified to avoid detection by YARA rules.
4. Threat Intelligence Sharing
Leveraging threat intelligence feeds and information-sharing platforms is essential to stay informed about new variants of malware. By sharing information with other organisations and adopting a threat and intelligence-led approach, the collective ability of security teams to identify and respond to emerging threats is significantly enhanced.
5. Continuous Monitoring
Continuous monitoring of systems for any signs of compromise is critical. Security measures, including detection rules like YARA rules, should be regularly updated to incorporate new threat intelligence and adapt to evolving attack techniques. By utilising a combination of these strategies, security teams can effectively mitigate emerging threats that attempts to use AI to evade a single detection technique
Adarma provides customised cybersecurity solutions to assist businesses in achieving future-ready cyber resilience. Our approach enables organisations to decrease cyber risks by implementing effective threat intelligence, exposure management, and detection and response capabilities. We offer tailored threat intelligence, technological solutions, and strategic consultations that cater to our customers’ specific security requirements and business goals. Our expertise guarantees a balanced approach between security and operational efficiency, safeguarding our customers’ most crucial infrastructure and data.
Discover our tailored services and find out why we are the preferred security partner for FTSE 350 firms and are recognised in the 2024 Gartner Market Guide for Co-Managed Security Monitoring Services.
If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.
To hear more from us, check out the latest issue of ‘Cyber Insiders,’ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.
You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.
Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.
![adarma_logo_twgt-black[11615449]](https://adarma.com/wp-content/uploads/2022/10/adarma_logo_twgt-black11615449.png){kind=logo}
