Talks and Demos

Kestrel was debuted at RSA Conference 2021: The Game of Cyber Threat Hunting: The Return of the Fun with the goal of an Human-Machine Symbiosis, its key design concepts Entity-Based Reasoning and Composable Hunt Flow, and a small-enterprise APT hunting demo with TTP pattern matching, cross-host provenance tracking, TI-enrichment, machine learning analytics, and more.

Kestrel was further introduced to the threat hunting community at SANS Threat Hunting Summit 2021 in session Compose Your Hunts With Reusable Knowledge and Share Your Huntbook With the Community to facilitate huntbook composition, sharing, and reuse—from simple single hunt step demos (TTP pattern matching, provenance tracking, and data visualization analytics) to complex comprehensive hunt flow composition.

Kestrel, together with STIX-shifter, Elastic, and SysFlow constitute the open hunting stack demoed at Black Hat Europe 2021: An Open Stack for Threat Hunting in Hybrid Cloud With Connected Observability. A supply chain attack variant across a hybrid cloud (two clouds and on-premises machines) was hunted in the arsenal session.

Kestrel was demoed at Infosec Jupyterthon 2021 in session: Reason Cyber Campaigns With Kestrel. The live hunting demo explained the basics of Kestrel throughout the discovery of the hybrid cloud APT campaign developed for our Black Hat Europe 2021 session.

Kestrel was discussed at SC eSummit on Threat Hunting & Offense Security in an interview session The ABCs of Kestrel: How the threat-hunting language enables efficiencies & interoperability. The session discussed the history, mission, key idea, community, and stories of Kestrel for threat hunters, enterprise executives, and security researchers.