Content, Channel partners, Security Program Controls/Technologies

IBM Provides Kestrel Threat Hunting Tool to Open Cybersecurity Alliance


IBM has contributed its Kestrel open-source programming language for threat hunting to the Open Cybersecurity Alliance (OCA) OASIS Open Project, according to a prepared statement.

Security operations center (SOC) analysts and other cybersecurity professionals can use Kestrel for cyber reasoning and threat discovery, OCA said. Also, they can leverage Kestrel's machine-based automation to hunt for threats and free up time to focus on other high-priority tasks.

IBM launched Kestrel at the RSA Conference in May 2021. Kestrel was developed jointly by IBM Research and IBM Security, which operates a Top 250 MSSP business unit, based on years of experimentation in the Defense Advanced Research Projects Agency (DARPA) Transparent Computing program’s adversarial engagements.

Kestrel provides cybersecurity professionals with a domain-specific language they can use to figure out what cyber threats to hunt, rather than how to hunt for threats, IBM indicated. It helps these professionals organize their thoughts about threat hypotheses around identifiable systems, network objects or other entities.

How Does Kestrel Work?

Kestrel automatically reassembles an entity using pieces of information from different records or logs that describe different aspects of it, IBM stated. It also asks data sources for information about different entities to provide threat hunters with information to track down the root causes and effects of suspicious activities and create and revise threat hypotheses.

Furthermore, Kestrel uses the Structured Threat Information Expression (STIX) open standard for expressing and exchanging cyber threat data and intelligence, IBM stated. It runs on top of the STIX-Shifter open-source Python library to automatically compile threat hunting steps in the languages that different data sources speak and execute and abstracts hunting knowledge.

Kestrel reduces or eliminates repetitive, mundane tasks for cybersecurity professionals, IBM said. In doing so, Kestrel helps these professionals quickly identify and address threats and raises the level of skill and effort required to launch successful cyberattacks.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.