IBM has contributed its Kestrel open-source programming language for threat hunting to the Open Cybersecurity Alliance (OCA) OASIS Open Project, according to a prepared statement.
Security operations center (SOC) analysts and other cybersecurity professionals can use Kestrel for cyber reasoning and threat discovery, OCA said. Also, they can leverage Kestrel's machine-based automation to hunt for threats and free up time to focus on other high-priority tasks.
IBM launched Kestrel at the RSA Conference in May 2021. Kestrel was developed jointly by IBM Research and IBM Security, which operates a Top 250 MSSP business unit, based on years of experimentation in the Defense Advanced Research Projects Agency (DARPA) Transparent Computing program’s adversarial engagements.
Kestrel provides cybersecurity professionals with a domain-specific language they can use to figure out what cyber threats to hunt, rather than how to hunt for threats, IBM indicated. It helps these professionals organize their thoughts about threat hypotheses around identifiable systems, network objects or other entities.
How Does Kestrel Work?
Kestrel automatically reassembles an entity using pieces of information from different records or logs that describe different aspects of it, IBM stated. It also asks data sources for information about different entities to provide threat hunters with information to track down the root causes and effects of suspicious activities and create and revise threat hypotheses.
Furthermore, Kestrel uses the Structured Threat Information Expression (STIX) open standard for expressing and exchanging cyber threat data and intelligence, IBM stated. It runs on top of the STIX-Shifter open-source Python library to automatically compile threat hunting steps in the languages that different data sources speak and execute and abstracts hunting knowledge.
Kestrel reduces or eliminates repetitive, mundane tasks for cybersecurity professionals, IBM said. In doing so, Kestrel helps these professionals quickly identify and address threats and raises the level of skill and effort required to launch successful cyberattacks.
