It’s The Adversaries Who Are Advanced And Persistent

By Scott Crawford & Nick SelbyThere has been much talk recently about the “Advanced Persistent Threat.” According to Richard Bejtlich [1] and others, the term originated with the US Air Force around 2006, which explains why Bejtlich and others with an Air Force pedigree, such as Mandiant founder Kevin Mandia, have made much of the term.

There has been much talk recently about the “Advanced Persistent Threat.” According to Richard Bejtlich [1] and others, the term originated with the US Air Force around 2006, which explains why Bejtlich and others with an Air Force pedigree, such as Mandiant founder Kevin Mandia, have made much of the term.

Recently has it begun to enter into more common use, particularly in the wake of the recent Google incident. Since that story broke, the term can definitely be seen scaling Mount Hype, with high probability of reaching the summit by the RSA Conference. This is, of course, why all those DLP banners were printed one-sided.

We can already anticipate from those headed down the back side of that lofty peak one central question: “What the heck is it?”

The Next Big Nail

Part of our concern is how much the term is likely prone to abuse. Those with a hammer to sell will undoubtedly see APT as The Next Big Nail. Not only does this promote the myth of the “easy button” in security, where a new tool, technology or product emerges to solve the latest headache, it also lumps APT into the FUD bucket of everything we fear we can neither understand nor see today. It doesn’t help that the term itself plays to the U in FUD, particularly when tactics are neither advanced nor seemingly persistent. But this is part of the issue in our view: a good deal of the problem with security today is that we focus our attention on tactics, rather than what is behind them.

What we would prefer to consider, then, is the “Advanced Persistent Adversary,” since “threat” becomes all too easily confused with tactics.

This is not semantics, but it very well could be about Symantec – it is significant that McAfee came out and named the GOOG Thing, and fanned the flames of this new bonfire of mainstream APT-uttering. For example, in the blog post proffering the name Aurora to describe the wave of attacks in which Google found itself playing a starring role [2], McAfee defined APT thusly:

“The current bumper crop of malware is very sophisticated, highly targeted, and designed to infect, conceal access, siphon data or, even worse, modify data without detection. These highly customized attacks [are] known as ‘advanced persistent threats’ (APT).”

Clearly, McAfee avers that APT is a new form of, or state-of-the-art in, malware. That is precisely wrong.

Conflating Risk & Threat

This feeds right into another, larger issue in information security: that practitioners often confuse and conflate the terms they use to describe what they’re talking about. We’ve heard high-ranking security executives refer to specific viruses as “risks.” With mainstream use of “APT,” it becomes a “thing” which can be “solved”. By calling a specific threat like an exploit or a technique an “advanced and persistent” one, it makes it sound like a missile: something that must be controlled lest it proliferate. In fact, these exploits and techniques seem more like handguns – more agile, smaller, cheaper, easier to use and carry – and a whole lot more difficult and controversial to control.

If we allow vendors to say that the “threat” is the problem, then, “advanced persistent threat” is relegated, as it has been, to the people we have been paying to clean up what we have typically labeled “threats” [3]. Not only does this play into that “easy button” mentality (which is likely the worst possible way to address the advanced adversary) but also it often draws the focus away from a coordinated incident, and towards individual tactics that may be misleading, if they are detectable at all. It may well be that a specific tool used by the more adept adversary is not at all advanced, and may not appear to be persistent. In fact, if they’re any good at it, their activities will appear to be benign until it’s too late.

A Little Light Musing

To use a classical piano analogy, there are millions of people the world over who feel up to taking a crack at Beethoven’s “Für Elise” – including professional concert pianists. Relatively few, however, can do a competent job with the Hammerklavier sonata, one of the most difficult in the classical repertoire. But here’s the thing: those who can deliver the Hammerklavier can also handle “Für Elise.” The point is, they can call upon the right piece for the moment, regardless of the level of challenge.

The “threat” in APT isn’t about the tools used, or whether they’re common, or dated, or ridiculously simple. (Indeed, if you wanted to call upon a simple tactic as a red herring, why not if it suits the purpose?) It’s the adversary who shows virtuosity, the adversary who shows persistence.

Advanced, Persistent Adversary

The more advanced adversary demonstrates persistence, because it has a larger strategic goal than any individual exploit, or even any individual incident. And the adversary may have the resources to back not only expertise in tactics, but such things as fundamental research which can be called upon as the need arises.

This also helps shift the focus where it needs to be. We have been far too lax, for far too long, in the way we think about how to counter threats of any kind. Pieces and parts, this tactic or that, some new tool for every new emerging exploit, without considering that the adversary thinks far more strategically than we do.

We would hope that this also shifts thinking in the security market toward a more systematic approach to defense. For Pete’s sake, the breach alone ought to demonstrate that we’re still unable to build a decent foundation for our efforts, let alone ready ourselves for the more advanced, persistent adversary.

Things That Can Help

Many still-accepted approaches that are successful in producing revenue for security vendors will have little or no bearing on dealing with the advanced adversary, but there ARE things we can do to improve our current situation, which today we clearly do not.

Let’s think like the adversary and assess ourselves accordingly – and we’re not just talking about vulnerability scans. How do our companies appear to the world on the Internet? How do our employees and business units communicate with the world, and how do our applications expose ourselves to the Internet at large? And how aware are we really about what goes on in our environment? Are we monitoring as widely and well as we could be? Are we making use of the information we collect and doing what amounts to pre-incident forensics on the data? If not, or if such techniques seem beyond our reach, where can we look for expertise that will help, and what does that need say about where security management needs to go in the future?”

It’s high time we began setting our security goals to align with defense of what we hold dearest. All too often we set our security goals to align with those of compliance with regulatory or industry rulesets.

One thing we believe will not help: more of the same. The advanced, persistent adversary has been here for some time [4]. Here’s some time-worn advice that’s been around for a while as well: there is no panacea, there’s no magic bullet, there’s no boxed solution ready for cash and carry.

While many rightly raise that the Google incident is the first time the issue has made the mainstream press, there’s lots of experience out there on the user side, and we applaud experts like Richard Bejtlich, Mike Cloppert and others (like Will Gragido at Cassandra Security who’s been writing about another, different way to describe this, Subversive, Multi-vector Threats, or his business partner John Pirc, who presented on many related issues at ToorCon 2009) who have come forward to share at least the anonymized takewaways of their work. As we went to Press, Andy Jaquith published similar thoughts at Forrester.

We need more experienced practitioners to come forward and share. As you read this, information security pros are sitting, wide-eyed, in banks, insurers, card processors, chemical firms, all kinds of industries, analyzing the latest – that is, today’s – onslaught. Sharing our common experience makes us all stronger.

McAfee was right when it said that, “Everyone’s threat model now needs to be adapted to the new reality…” Organizations sharing information with one another is one great way to speed our time to insight as we grapple with just what that new reality comprises.


* Scott Crawford is Research Director at Enterprise Management Associates (EMA), a leading IT industry analyst and consulting firm based in Boulder, Colorado. The former head of information security for the Comprehensive Nuclear-Test-Ban Treaty Organization’s International Data Centre in Vienna, Austria, Scott has been an IT professional in both the private and public sectors, with organizations including the University Corporation for Atmospheric Research and Emerson (Fortune #94 in 2009).

* Nick Selby is co-founder and Managing Director of Trident Risk Management, where he consults Fortune 1000 clients on information security, data protection, penetration testing and vulnerability and risk assessment. TRM also consults with government and law enforcement agencies on intelligence issues and tools. He was, in 2005, the founder of the Enterprise Security Practice at industry analyst firm The 451 Group, and is a Faculty Member at IANS. He is a regular contributor to FudSec and ThreatPost.

1. Bejtlich himself has massive experience in facing down all kinds of threats from advanced and persistent adversaries, in several distinguished roles. He has been raising awareness of these issues, as has Kevin Mandia, for several years

2. The use of the name itself confusing, because “Aurora” has been used for three years to describe an Internet-based attack against rotating generator equipment and was recently highly publicized in a controversial CBS 60 Minutes segment. Yes, McAfee had a reason to name it that, but that doesn’t mean it should have. Nick’s wife makes and sells tremendously good baked goods, but that does not mean she should call them “Oreo”s

3. And how’s that working out for you, hmm?

4. Of course it is enough to make one physically ill to hear that MSFT had long known of the problem that caused GOOG so much angst. In fact, if you want to raise your blood pressure, consider just how long it took for McAfee and Symantec to begin to address APT – and now consider that they’re trying to dominate the talking head space, issuing punditry and thought leadership around APT to sell, wait for it, anti-APT products. Thanks, guys!

Suggested articles