How many times are you re-implementing the almost same hunting procedure for different EDR/SIEM systems? How many times are you trying to reuse the hunting logic constructed for other APT hunts? How many times are you following the hunting logic in other hunters' blogs and re-coding their latest hunting flows? There should be a better way of doing it, a way to hunt with composable, reusable, and shareable hunt flows, so threat hunters can minimize repeating themselves and focus on hunting knowledge accumulation, reuse, and sharing for developing more advanced hunts.In this talk, we introduce Kestrel threat hunting language, an Open Cybersecurity Alliance (OCA) project recently announced at RSA Conference 2021, to foster knowledge sharing and collaboration in the threat hunting community. We explain the idea of hunting knowledge composability and demonstrate constructing hunt flows with multiple simple and complex hunting steps. The talk starts with writing and executing simple Kestrel hunting steps for common hunts, such as matching ATT&CK TTP patterns, finding related entities, enriching entities with threat intelligence, and visualizing geo-locations of host IPs. Next, we explain the data pipeline Kestrel utilizes to access more than a dozen free, open-source, and commercial monitoring/EDR/SIEM systems. And we demonstrate a cross-host hunt from a Linux server to a Windows machine by connecting and correlating multiple data sources. After the taste of creating composable hunt flows in Kestrel, we explain the entity-based cyber reasoning abstraction Kestrel brings to threat hunters over security logs and data, and discuss hunting knowledge reuse and sharing with community-contributed patterns, analytics, and huntbooks. We will share a list of references to the project, tutorials, and technical blogs to help attendees jump-start their hunts in Kestrel, and engage with the community to defend against ever-evolving cyber threats together.
Xiaokui Shu, Research Staff Member, IBM Research
Jiyong Jang, Principal Research Scientist and Manager, IBM Research
View upcoming Summits:
Download the presentation slides (SANS account required) at
#ThreatHuntingSummit
Музыка
Фильмы
ТВ Шоу
Категории видео
