Talks and Demos

2022

Kestrel was demoed at Black Hat USA 2022 in session Streamlining and Automating Threat Hunting With Kestrel. The session is a blue team event composed of (i) TTP pattern matching, (ii) control/data-flow tracking of the cross-host threat, (iii) applying analytics, and (iv) automation with OpenC2. The session playback is available at Kestrel Black Hat 2022 recording, and the Black Hat 22 Kestrel Blue Team Lab is released for everyone to play.

Kestrel was invited to Cybersecurity Automation Workshop 2022 and showcased automated hunting with OpenC2. In the demo, a system issued OpenC2 commands to investigate multiple entities using a library of templated Kestrel huntbooks, and SBOM was used in one of the exploited process investigations.

Kestrel was discussed at SC eSummit on Threat Hunting & Offense Security in an interview session The ABCs of Kestrel: How the threat-hunting language enables efficiencies & interoperability. The session discussed the history, mission, key idea, community, and stories of Kestrel for threat hunters, enterprise executives, and security researchers.

2021

Kestrel was demoed at Infosec Jupyterthon 2021 in session: Reason Cyber Campaigns With Kestrel. The live hunting demo explained the basics of Kestrel throughout the discovery of the hybrid cloud APT campaign developed for our Black Hat Europe 2021 session.

Kestrel, together with STIX-shifter, Elastic, and SysFlow constitute the open hunting stack demoed at Black Hat Europe 2021: An Open Stack for Threat Hunting in Hybrid Cloud With Connected Observability. A supply chain attack variant across a hybrid cloud (two clouds and on-premises machines) was hunted in the arsenal session.

Kestrel was further introduced to the threat hunting community at SANS Threat Hunting Summit 2021 in session Compose Your Hunts With Reusable Knowledge and Share Your Huntbook With the Community to facilitate huntbook composition, sharing, and reuse—from simple single hunt step demos (TTP pattern matching, provenance tracking, and data visualization analytics) to complex comprehensive hunt flow composition.

Kestrel was debuted at RSA Conference 2021: The Game of Cyber Threat Hunting: The Return of the Fun with the goal of an Human-Machine Symbiosis, its key design concepts Entity-Based Reasoning and Composable Hunt Flow, and a small-enterprise APT hunting demo with TTP pattern matching, cross-host provenance tracking, TI-enrichment, machine learning analytics, and more.