By B.K. DeLong
We have heard variations on the argument that within the context of information security, the “advanced persistent threat” (APT) is not really all that advanced or new, that it is being made too big a deal of (or FUD) and that it is no more than marketing hype though more of an effort needs to be put into protecting against it. The problem is that many industry practitioners (with the help of uninformed or marketing-driven vendors) are being misled to believe that the APT involves nearly any adversary that pulls off a large-scale attack or breach of security.
In early 2010, Richard Bejtlich (then Director of Incident Response for GE now CSO for Mandiant) wrote some solid blog posts about exactly what the APT is, what it isn’t, how to address it as well as some good analysis around the so-called “Google vs China” attack using his years of experience within incident detection, response and forensics. This includes his time as Chief of Real-Time Intrusion Detection for Air Force CERT (AFCERT), where the term APT was allegedly coined after he moved on to the private sector. Here’s a definition from one post:
“Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target’s posture.
Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.
Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term ‘threat’ with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn’t degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple ‘groups’ consisting of dedicated ‘crews’ with various missions.”
However the best point was made by him regarding the convolutions and confusion on the APT with this blog post comparing last year’s frenzy over the “Google vs China” attacks to observers of a “Pressure Point Fighting” class and how the results get conveyed to the public-at large. Well worth a read if you haven’t yet read it.
That being said, he rightly points out that the APT most often refers to a specific threat or “threat agent” associated with a particular country – China. Sometimes those focused on defending against or countering APT actors often choose to add other countries into the mix and will prefix “APT” with the country in question. Taia Global founder Jeffrey Carr touches upon this in a Digital Dao blog post in February of this year.
Now that it’s clear what the APT is, everyone should be able to understand what the APT isn’t and continue to work on this dichotomy. All of those breaches of PII, PCI and PHI regularly posted on OSF’s DataLossDB and the public attacks reported via Twitter by groups such as Anonymous against Booz Allen Hamilton, AntiSec going after an FBI contractor, and LulzSec where they leaked large amounts of email and Intellectual Property, are not cases of the APT at work.
Overuse of the term has caused complacency in the industry and a belief that the general threats are more skillful and harder to address than they truly are, making practitioners less vigilant in their overall protection and detection efforts. It has also caused security vendors to lag behind where they should be with their offerings and in keeping up with being able to seek out, identify and neutralize these threats. Those that tend to over-market that their products and solutions will help “protect against the APT” are really only adding to that false sense of security when they’re not making it clear what “the APT” is.
This discussion is much along the lines of that around the PCI DSS from the credit card industry and how it should not be an end-goal security standard for companies but a mere baseline from which to start while organizations strive for greater information protection.
Except that many companies seem to be overly challenged or daunted with the potential cost of protecting themselves against large-scale attacks either at the network or asset level either because “it won’t happen to them” or because (as shown by the recent Anti-Security movement) there appears to be very little that will protect against true threats that want to get into the network and at an asset.
The industry, as well as its practitioners, need to get out of the mindset that somehow seemingly challenging threats are automatically more advanced, thus making them harder to find and eradicate. Detecting and removing any threat should become standard operation and vendors should continue to set the bar higher in improving their solutions enabling them to keep up with the ever-evolving threat landscape. By setting up a psychological self-delusion of larger difficulty, the risk being imposed upon those previously-mentioned business assets is far greater than it needs to be.
That being said, organizations should be looking at what the threats are targeting and focus on that – take a risk-based approach to security and focus on the most critical assets of the company using something like a Business Impact Assessment and look at the possible threat actors that may want to get a hold of, leak or destroy that asset to disrupt company or organizational operation and use that to prioritize security posture (e.g. don’t spend the entire budget securing everything).
In short, take the criteria for the APT as well-defined by experienced practitioners like Richard Bejtlich, Mike Cloppert of Lockheed Martin, and Jeffrey Carr, (also author of “Inside Cyber Warfare” from O’Reilly Publishing), and remove the psychosomatic desire to label all perceived advanced threats with this powerfully, fear-inducing acronym.
Then continue to evolve both skills of the information security practitioner and tool sets available to them to better counter the evolving attackers that make up the threats. That way, the organizations along with their critical assets under protection will become far more secure than if under this psychological paralysis caused by the perception that the risk of threats against those assets is too great to defend against.
My next column will be centered around the fact that, while the APT is truly an adversary with skill and more often than not will penetrate a network (as will sometimes many other advanced attackers), the industry has a propensity for being overly focused on proactive defense and failing to do adequate risk assessment to the point of not giving due care to true incident detection, response and business continuity/disaster recovery (BCDR) when such an attack or breach occurs.
This has been proven time and time again when such events do occur and companies are completely taken by surprise. The aftermath results in them taking weeks or even months to first detect, investigate & respond and finally recover and notify everyone that needs to be told of what occurred.
B.K. DeLong is an independent security analyst based in Boston.