Book Review: "Huntpedia"


"Huntpedia" is an outstanding free book on the topic of threat hunting. It's a collected series of blog posts on modern cyber threat detection, each by a different author, and it comes from a long list of experienced blue teamers. At just over 100 pages, Huntpedia easy to read in a single day, in a few sittings, or even as individual blog posts. Overall, I give it 8 out of 10 stars for both having lots of solid theory and accurate technical application. I strongly recommend this to security engineers, incident responders, and anyone with an interest in the Blue Team side of things, mostly because it's high quality, hard learned experience, and free. I also really like that the book is divided into two parts, Part 1 is devoted to theory and Part 2 is technical application; both parts are outstanding in their execution. Similarly, both parts have beginner material and advanced material, making this a worthwhile read even for experienced incident responders. The following are the individual articles in the book, each on ranging ~3 to ~9 pages, followed by the author of each article.

Foreward by Richard Bejtlich
Part I - Hunting: Theory & Practice
Chapter 1: Threat Hunting: People, Processes, Technology - by Danny Akacki
Chapter 2: The Pyramid of Pain: The Hunting Edition - by David Bianco
Chapter 3: Diamond Model of Intrusion Analysis - by Sergio Caltagirone
Chapter 4: Hunting Through Large Volumes of Logs - by Jack Crook
Chapter 5: Hunting for Malicious DNS Namespace Collisions - by Tyler Hudak
Chapter 6: Hunting Anomalous Behavior in Proxy/DNS Queries - by Samuel Alonso
Chapter 7: Waiting vs Passivity in DFIR - by Scott Roberts
Part II - Hunting: Tools of The Trade
Chapter 8: Hunting for Uncategorized Proxy Events Using Sqrrl - by Chris Sanders
Chapter 9: Hunting Lateral Movement via PSEXEC Using Sqrrl and Bro - by Ryan Nolette
Chapter 10: Hunting for Command and Control - by Josh Liburdi
Chapter 11: Hunting Critical Process Impersonation Using Python - by David Bianco
Chapter 12: Hunting for PowerShell Abuse Using Sqrrl - by Matthew Hosburgh
Chapter 13: Leveraging Machine Learning for Cyber Threat Hunting - by Tim Crothers
Afterword by Rob Lee

This book really covers what I would consider some core parts of cyber threat detection (collection and analysis of logs, network, and host data). I like how much emphasis is put on good detection, hunting, and cyber intelligence analysis, that is to say the theory section imparts some critical detection philosophies. The book clarifies many classic DFIR misconceptions, such as how to apply high value CTI and The Pyramid of Pain, or how to approach logging and writing your first set of detection rules. I like how they talk about similar techniques such as Stacking, storing indicators of compromise in a graph database, and even using applied Machine Learning in multiple technical articles and contexts. Huntpedia talks about pushing the needle in terms of detection, or moving beyond the existing tools of what is automated to seek out new threats, search for them in the data, then automate the analysis of said data and hunt for the threats at scale. That is, the book spells it out clearly, hunting requires an experienced mix of human analysis and automated tooling to find new threats and detect them at scale; there is no silver bullet. This book collects honed experience and distills it into some great articles that provide tangible instruction on cyber threat detection. Finally, the main Threat Hunting site also links to more great articles on the topic of threat hunting, detection, and incident response. I hope you both enjoy and share this awesome, free resource!