An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the alert triage phase, Which action gives the analyst the clearest next triage step?
YARA rules are suitable for identifying malware families using file strings, byte sequences, and conditions.
Why this answer
YARA rules are specifically designed to identify and classify malware samples based on textual or binary patterns, including unique strings and byte sequences. By testing a YARA rule against known-good and known-bad samples, the analyst can validate its accuracy and ensure it reliably detects related files from the same campaign while minimizing false positives.
How to eliminate wrong answers
Option A is wrong because tuning DHCP lease duration affects network address assignment and renewal timing, not malware detection or file analysis. Option B is wrong because using only a firewall deny rule for port 443 would block HTTPS traffic but does not help identify or correlate malware samples based on strings or byte patterns. Option D is wrong because creating a CVE entry is a formal process for documenting a vulnerability, not a method for detecting related malware files based on unique strings or byte patterns.