By Julian Meyrick, Managing Partner & Vice President, Security Strategy Risk & Compliance, Security Transformation Services, IBM Security

Cyber threat hunting — proactively chasing increasingly sophisticated and pervasive cyberattacks — has been around for some time. However, existing approaches of cyber threat hunting rely on repeated and tedious knowledge encoding on specific data platforms, which can be very time-consuming.

In cybersecurity, time is of the essence. Every hour it takes to detect and respond to a threat leaves attackers more time to do damage. Unfortunately, rather than benefiting from the threat-hunting community’s collective knowledge and sharing code, cybersecurity professionals end up working in relative isolation and rewriting the same programs over and over with each new attack. In this context, the value of an open-source threat-hunting programming language could help solve that issue.

Kestrel Threat Hunting Language offers threat hunters a means to perform cyber reasoning and threat discovery much faster and easier than ever before. Developed jointly by IBM Research and IBM Security and based on years of experimentation in DARPA’s Transparent Computing program’s adversarial engagements, Kestrel offers Security Operations Center (SOC) analysts and threat hunters a domain-specific language that lets them devote more time to figuring out what to hunt, as opposed to how to hunt.

Letting threat hunters do what they do best

Cyber threat hunting is intended to serve as a countermeasure against today’s threats, many of which are built dynamically and customized to attack specific targets. These stealthy attacks can circumvent existing security measures at various levels and cannot be fully captured by pre-programmed detection systems and analytics.

Even with the influx of numerous open-source and commercial investigation tools, cyber threat hunting lacks the efficiency needed to be truly effective. Time and intelligence that should be focused on reasoning about sophisticated threats is instead spent on mundane tasks, such as crafting queries for different data sources, interpreting their results, and recording those results in spreadsheets.

IBM designed Kestrel to codify different steps and flows involved in threat hunting. That includes understanding the security measures in the target environment, thinking about potential threats that escape existing defenses, obtaining useful observations from system and network activities, developing threat hypotheses, revising threat hypotheses iteratively with the last two steps, and confirming new threats.

As a language for threat hunters to express what they are hunting, Kestrel helps hunters organize their thoughts about threat hypotheses around entities, which include numerous identifiable systems or network objects.

Under the hood, Kestrel runtime automatically reassembles an entity using pieces of information from different records or logs that describe different aspects of that entity. Kestrel also proactively asks data sources for additional information about different entities in order to ensure threat hunters have all of the information available to track down root causes and impacts of suspicious activity, as well as create and revise threat hypotheses as needed.

Security in community

Kestrel uses Structured Threat Information Expression (STIX), an open-standard for expressing and exchanging cyber threat data and intelligence. Kestrel runs on top of STIX-Shifter — another open source project by IBM Security — to automatically compile threat-hunting steps down to the native languages that the different data sources speak and execute. Beyond patterns, Kestrel abstracts hunting knowledge codified in analytics and hunting flows. Shareable, composable and reusable threat-hunting flows are critical — look no further than the SolarWinds attack to understand the importance of sharing threat intelligence and analysis across multiple organizations.

Ultimately, Kestrel will give threat hunters the ability to focus on the most interesting aspect of their work — the thrill of the hunt. In doing so, it will make cyber threat hunting more exciting that ever, and allow cybersecurity professionals to spend their time and energy untangling sophisticated threats and raising the level of skill and effort required to launch successful attacks in the future.

 

You may also like

UK/EU Summit - “Risk to Resilience”
icon External Engagement

UK/EU Summit - “Risk to Resilience”

Detlef Houdeau, Senior Director, Business Development at Infineon Technologies was a speaker at the inaugural UK/EU Summit organized by our newest Associated Partners Shared Assessments.

💡Under the theme “Risk to Resilience” the first event of this series was held in London and brought together professionals from different industries and regions. Detlef participated in the panel about the complex regulatory landscape and emphasized that new legislation like the EU AI Act, DORA and Hashtag#NIS2 continue to push the standard of care on cybersecurity and other risks.

Thanks to Shared Assessments for organizing such an amazing event and inviting the Charter of Trust to participate in this high-class panel alongside Andrew Moyad, CEO at Shared Assessments.
October 08, 2024
36th Cyber Security Day: Working together for more resilience in the digital future
icon External Engagement

36th Cyber Security Day: Working together for more resilience in the digital future

Strong networks and effective cooperation are the key to successfully shaping the digital future in Germany. Cybersecurity is a team effort, and that was again visible last week at the 36th Cyber Security Day in Berlin.

🌐On 26 September 2024, the Bundesamt für Sicherheit in der Informationstechnik (BSI), Alliance for Cyber Security, and the DIHK invited experts, companies, authorities and political decision-makers to jointly strengthen Germany's cyber resilience.

The event was a great mix of policy debate, practical exchange, workshop and networking under the motto ‘Stronger Together: Greater Resilience through Cooperation’.

✨ One of the highlights of the day was the closing panel with Claudia Plattner, President of the BSI, Dr. Stefan Saatmann, Deputy Head Berlin Office at Siemens, Konstantin von Notz, Member of the Bundestag for B90/Greens, and Alexander von Gernler, German Informatics Society, interchanging ideas to foster resilience through collaboration. Initiatives like the CoT baseline requirements and its huge potential for international harmonizing cybersecurity regulations were discussed as well.

Let’s all work together so that closer cooperation between the BSI and businesses bring more tangible effects to increase digital resilience. Special thanks to Nils Hasenau for providing the excellent photos and also to Simon Ulmer and Ralf König for attending the event.
October 01, 2024
Nordic Cyber Summit 2024
icon External Engagement

Nordic Cyber Summit 2024

The Charter of Trust at the Nordic Cyber Summit
What a great opportunity for Morten Kromann, Head of Industrial Security Denmark at Siemens, to present the Charter of Trust perspective on cybersecurity regulations like Hashtag#NIS2 at the Nordic Cyber Summit in Copenhagen.

This year the summit was again a formidable event to engage with top cybersecurity experts, share insights, and discuss strategies to navigate the ever-evolving threat landscape in the Nordic region with the theme “Fortifying the Future: Building Cyber Resilience in a Transformed World”.

A main aspect highlighted by Morten was the discrepancies between the NIS2 directive’s incidents reporting timeframe and related provisions adopted in other legislations. These regulatory overlaps create difficult compliance environments for industry and costly operational pressures which add to the fragmentation of the market instead of harmonizing it. That is why the Charter of Trust emphasizes streamlining reporting requirements stemming from these different legislative frameworks and developing single entry points for reporting on the national level.

These and more points have been discussed during our Security-by-default Webinar on the 29th of October. See the events section on this website to find the recording of the webinar.
September 16, 2024