page-020

Preface

campaigns against high-value installations, and they relentlessly assail their

quarry until they've established a solid operational foothold. Players in the

defense industry, high-tcch vendors, and financial institutions have all been

on the receiving end of APT operations.

Depending on the defensive ineasures in place, APT incidents can involve

more sophisticated tools, like custom zero-day exploits and forged certifi¬

cates. In extreme cases, an intrusion set might go so far as to physically

infiltrate a target (e.g., respond to job postings, bribe an insider, pose as a

telecom repairman, conduct breaking and entry (B&E), etc.) to get access to

equipment. In short, these groups have the mandate and resources to bypass

whatever barriers are in place.

Because APTs often seek to establish a long-term outpost in unfriendly ter¬

ritory, stealth technology plays a fundamental role. This isn't your average

Internet smash-and-grab that leaves a noisy trail of binaries and network

packets. It's much closer to a termite infestation; a low-and-slow underground

invasion that invisibly spreads from one box to the next, skulking under the

radar and denying outsiders any indication that something is amiss until it's

too late. This is the venue of rootkits.

1 What's New in the Second Edition?

Rather than just institute minor adjustments, perhaps adding a section or two

in each chapter to reflect recent developments, I opted for a major overhaul

of the book. This reflects observations that I received from professional

researchers, feedback from readers, peer comments, and things that I dug up

on my own.

Out with the Old, In with the New

In a nutshell, 1 added new material and took out outdated material. Specifi¬

cally, 1 excluded techniques that have been proved less effective due to

technological advances. For example, I decided to spend less time on bootkits

(which are pretty easy to detect) and more time on topics like shellcode and

memory-resident software. There were also samples from the first edition that

work only on Windows XP, and I removed these as well. By popular demand,

I've also included information on rootkits that reside in the lower rings (e.g.,

Ring — 1, Ring —2, and Ring —3).

xxii