page-019

Preface

The quandary of information technology (IT) is that everything changes.

It's inevitable. The continents of high technology drift on a daily basis right

underneath our feet. This is particularly true with regard to computer security.

Offensive tactics evolve as attackers find new ways to subvert our machines,

and defensive tactics progress to respond in kind. As an IT professional,

you're faced with a choice: You can proactively educate yourself about the

inherent limitations of your security tools ... or you can be made aware of

their shortcomings the hard way, after you've suffered at the hands of an

intruder.

In this book, I don the inimical Black Hat in hopes that, by viewing stealth

technology from an offensive vantage point, I can shed some light on the

challenges that exist in the sphere of incident response. In doing so, I've

waded through a vast murky swamp of poorly documented, partially docu¬

mented, and undocumented material. This book is your opportunity to hit the

ground running and pick up things the easy way, without having to earn a

lifetime membership with the triple-fauh club.

My goal herein is not to enable bad people to go out and do bad things.

The professional malware developers that I've run into already possess an

intimate knowledge of anti-forensics (who do you think provided material

and inspiration for this book?). Instead, this collection of subversive ideas is

aimed squarely at the good guys. My goal is both to make investigators aware

of potential blind spots and to help provoke software vendors to rise and meet

the massing horde that has appeared at the edge of the horizon. I'm talking

about advanced persistent threats (APTs).'

APTs: Low and Slow, Not Smash and Grab

The terra "advanced persistent threat" was coincd by the Air Force in 2006.�

An APT represents a class of attacks performed by an organized group of in¬

truders (often referred to as an "intrusion set") who arc both well funded and

well equipped. This particular breed of Black Hal executes carefully targeted

1, "Under Cyberthreat; Defense Contractors," BusinessWeek. July 6, 2009,

2. http://taosccurity.blogspot.cora/2010/01/what-is-apt-and-what-docs-it-want.html.

XXI