IBM Kestrel threat hunting language granted to Open Cybersecurity Alliance

The contribution is aimed at giving cybersecurity experts more time to conduct forensic activities.
Written by Charlie Osborne, Contributing Writer

IBM has contributed the Kestrel threat analysis language to the Open Cybersecurity Alliance (OCA). 

On Tuesday, the tech giant said that Kestrel helps Security Operations Center (SOC) analysts and other professionals in the industry "streamline threat discovery," allowing experts to more quickly tackle cyberforensics investigations, breaches, and other incidents. 

Kestrel made its debut this year at the RSA Conference. The open source programming language, developed jointly between IBM Research and IBM Security, is based on experiments performed via DARPA's Transparent Computing initiative.

Kestrel is used to compose 'hunt' flows for threats, including known patterns, sources, analytics, and applying detection logic to create a process for cybersecurity professionals to leave repetitive jobs in the hands of automation and instead focus on other tasks which require the intuition and skill of human staff. 

Normally, proactive threat hunting to protect an organization's networks takes a lot of human hours and skill, but as it requires hypotheses and likely sources for attack to be created alongside detection procedures, the vendor believes that cybersecurity staff often end up "rewriting the same programs following each attack."

This is where Kestrel comes in. 


"Kestrel threat hunting language provides an abstraction for threat hunters to focus on what to hunt instead of how to hunt," IBM says. "The composable hunting flows enable the reuse of best practices and help reduce the time to create new hunts."

The project is open source, and now accepted by the OCA -- of which members include Cybereason, McAfee, IBM Security, and Tenable -- it is hoped that the language will further the alliance's promotion of interoperable cybersecurity products. 

"Instead of dissecting indicators of compromise we will be dissecting playbooks of entire hunt logic and across data sources," commented Sheldon Shaw, VP of Innovation & Infrastructure at CyberNB. "As adoption of the language continues to roll out, our collective hunt teams will be able to collaborate and approach cyber investigations differently."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards