Why are YARA Rules Still a Thing for Email Security?


The future of email security will be defined by decentralized threat intelligence, automation, and AI that lets organizations continuously and rapidly respond to attacks in just seconds with or without human intervention.

To this day, quite a few of email security technologies encourage security teams, threat hunters, and incident responders to rely on YARA rules and other regular expression- based technologies to combat email phishing attacks. This is despite the fact that high-profile attacks such as business email compromise (BEC) and ransomware are built specifically to defeat the human and technical controls relying on YARA rules.

See also: Why Spear-Phishing Attacks Need Constant Cybersecurity

YARA rules had their place. Those in the cybersecurity industry know that YARA is an open-source tool popularized in the early 2000s that uses textual or binary patterns to create descriptions to identify and classify malware samples. It was developed before advanced attacks were common as a means to respond to the growth in malware attacks, enabling security researchers to write “rules” based on patterns in network and endpoint behavior that could help group together malicious content. 

However, as 2020 and the next decade approaches, 91% of cyberattacks still start with a phishing email, and it takes less than 82 seconds for a malicious email to secure its first click.

When it comes to email security, you might wonder: why are YARA rules still a thing?

YARA rules have outlived their usefulness

Developed before advanced attacks were frequent and common, YARA rules once served a purpose for researchers and malware analysts looking for patterns in attacker behavior on networks and endpoints. For some researchers today, YARA rules are admittedly still a useful tool, but a long and detailed one that really only benefits analysts, not inbox users who need immediate incident response to phishing attacks. In fact, in today’s complex email threat landscape, the process of writing a new rule for each new attack is too time-consuming and labor-intensive to keep pace in an environment in which one million new malware threats are released each day as well as millions of phishing emails.

Additionally, as technology evolves, attackers are beginning to adapt by utilizing artificial intelligence and machine learning tools as well as new techniques to bypass YARA rules. Unfortunately, that means email security tools that are still based on writing scripts are no match. If threat actors are utilizing AI in order to cause damage, then email security must leverage the same technologies and capabilities to keep pace with their adversaries. SOC analysts cannot write rules complicated enough or fast enough to respond to the actions threat actors are making in the time necessary to remediate an attack. Bottom line, SOC analysts can’t compete with machines with bare hands – you can’t bring a knife to a gunfight.

In today’s email security environment, and in the decade to come, in which real-time rapid incident response is a must, YARA rules will continue to remain inefficient. Here’s why:

  • They’re time-consuming – Security teams utilizing YARA rules simply cannot keep up with the volume of today’s phishing emails. That’s because before a rule can be written, manual analysis is required. Unfortunately, time is not a luxury that organizations have when it comes to phishing mitigation. Writing rules for yesterday’s attacks is simply not an option.
  • They’re a security team burden – YARA rules are simply too labor-intensive and time-consuming for today’s incident response demands. As a result, security teams are overwhelmed with the volume of emails to research and analyze. It’s such a burden that our own internal research found it can take Microsoft ATP as long as 250 days to remove a threat from an inbox. Additionally, YARA rules become even harder to manage as the number of rules created continues to grow.
  • They can’t keep up with the volume and sophistication of advanced phishing attacks. Basic search and delete capabilities are certainly no match for advanced phishing attacks such as polymorphic emails. Polymorphism occurs when an attacker implements slight but significant changes to an email artifact, such as its content, copy, sender name, template, or subject lines to evade filters. This strategic approach enables attackers to develop phishing attacks at a faster rate than at any time before, tricking signature-based email security tools that were not built to recognize such modifications to threats. Consequently, this allows different versions of the same attack to land undetected in employee inboxes. In fact, more than four in 10 emails underwent at least two permutations in the past twelve months. By the time a security analyst identifies a polymorphic attack, removes it from the inbox, and writes a new YARA rule based on the information, ten other polymorphic emails will have landed in 10 different inboxes.

The future of email security is Yara-less

The future of phishing mitigation will not rely on passive search and delete functionalities driven by rules that can be defeated with ease. Instead, the future of email security will be defined by decentralized threat intelligence, automation, and AI that enable organizations to continuously and rapidly respond to attacks in just seconds with or without human intervention.

In 2029 – 10 years from now – society, we’ll reflect upon the conclusion of the most recent decade and admonish how YARA rules were relied so heavily upon for email security as we moved into a new decade in 2020. Let’s hope it won’t take the full ten years to recognize the benefits of a more intelligent, proactive, and automated approach.

Eyal Benishti

About Eyal Benishti

Eyal Benishti is the founder & CEO of IRONSCALES, a leader in advanced phishing threat protection, which was incubated in the 8200 EISP by Alumni, the Israel Defense Forces’ elite intelligence technology unit. Before establishing IRONSCALES, Benishti served as a security researcher and malware analyst at Radware, where he filed two patents in the information security domain. He also served as Java Tech Lead at Imperva, working on the Web Application Firewall product and other security solutions. A passionate cyber researcher from a young age, Benishti holds a degree in computer science and mathematics from Bar-Ilan University in Israel. You can follow IRONSCALES on Twitter and LinkedIn and Eyal Benishti on Twitter and LinkedIn.  

Leave a Reply

Your email address will not be published. Required fields are marked *