August 8th, 2023
Introducing BinLib: Your private binary library
What is Binary Library?
Binary Library, or “BinLib”, is a collection of data and metadata pertaining to executable binaries, such as EXE or ELF files, that have been observed within your organization(s). When enabled, this extension collects observed data into your own private collection of historical executables, then subsequently available for searching, tagging, and analysis. BinLib also features YARA scanning, allowing you to import rules and search across observed executables - all without impacting system resources or production systems.
With BinLib, LimaCharlie customers can realize their own private corpus of historical executable data, as observed across their environment(s). Furthermore, LimaCharlie’s multi-platform parity enables analysis across Windows, Linux, and Mac executables. Binaries can be tagged and historical searches can help identify the presence of malicious files within an organization(s).
Benefits of BinLib
Managed security providers can use BinLib as a way to auto-scale analysis across their customers. Rather than construct detection and response rules for dozens of hashes, they can reference BinLib directly, allowing for more streamlined and efficient malicious detection. BinLib allows for easier management of known good files - allowing for easier false positives and “allow list” creation.
Managed security or intelligence providers will also find value in utilizing BinLib’s data for profiling of details across an entire organization, or a group of organizations. Understanding where and how binaries showed up in an environment are critical to answering questions about intrusions, and building out adversary timelines. Security teams can easily find answers to questions like:
Has this executable ever been observed in the organization?
When was it first seen?
What key metadata points can be used to identify similar executables?
The key takeaway? LimaCharlie customers have even more options and control over their data. For years, users have relied on binary repositories as a source for intelligence, malware identification, detection, and adversary profiling. Historical YARA scanning has proven invaluable for historical adversary analysis. BinLib brings the repository to you - making it personal and customized, without needing to build your own tech stack.
BinLib allows you to extend what you know into what you don’t know, utilizing file telemetry to identify malicious activity. Furthermore, BinLib allows you to extend malware detection outside of EDR telemetry - any feed of binary data or metadata can be converted into an indexed, searchable item. Coupled with YARA scanning, there is no limit to how instrumental BinLib can be in keeping your organization secure.
Getting Started with BinLib and LimaCharlie
BinLib is now out of private beta and is now generally available.