Precursor: A Quantum Leap in Arbitrary Payload Similarity Analysis

In both general “data science” and, especially, in many cybersecurity contexts, the ability to identify and analyze similarities in data is crucial. Matt Lehman, from the GreyNoise Labs research team, has a new, deep-dive blog post introducing a new tool — Precursor — which promises to revolutionize how we approach this task. It is designed to label and find similarities in text, hex, or base64 encoded data and is a product of extensive research and development.

Precursor supports arbitrary similarity algorithms that generate a digest and support distance calculations, such as MRSHv2 and SSDEEP. It also provides a generic similarity vector output that machine learning processes can ingest. Precursor’s binary input mode for firmware/malware analysis can automate including the protocol indicators from existing libraries into PCRE2 patterns where applicable. The tool also supports a training mode where it can automatically configure the optimal similarity algorithm and distance thresholds. 

Potential other use-cases include:

Threat Intelligence and Attribution: Precursor can be used to analyze network traffic and identify patterns that indicate a potential threat. For instance, it can help in identifying regionally targeted cyberattacks by analyzing the nature of the traffic targeting a specific region. This was demonstrated when GreyNoise used Precursor to analyze a cyberattack targeting Israel.

Malware Analysis and Detection: Precursor's ability to support arbitrary similarity algorithms can be used to detect malware. By comparing a suspicious file to a database of known malware signatures, Precursor can help identify whether the file is malicious. It can aid in detecting command and control (C2) communications often used by malware.

Network Traffic Analysis: Precursor can be used to analyze network traffic and identify patterns or anomalies that may indicate a security threat. For instance, it can help in identifying scanning and enumeration activities typically associated with the reconnaissance phase of a cyberattack.

Stay tuned as we delve deeper into the workings of Precursor, its potential applications, and the insights it has helped us uncover. Whether you're a cybersecurity professional, a data scientist, or simply a tech enthusiast, this tool is set to bring a new level of sophistication to your work.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account