Ever since the Google hack disclosures back in January this year, the term “Advanced Persistent Threat” (or “APT” if you prefer to use TLA‘s) has been tossed about in various forums and associated with security, hacking, terrorism, state sponsored attacks, botnets, advanced malware, next generation malware, etc. – the net result is that the term means quite different things to different people.
Depending upon how much of a security purist you are, your perspective of what an APT encompasses could be pretty broad or downright specific. For example, there are a clutch of security purists who, being mostly former US military, strongly associate the term with traditional state-sponsored attacks against US infrastructure. Therefore, for something to be labeled an APT, it requires the threat to be backed or endorsed by an hostile political regime and require tools, tactics and technologies outside the normal threat spectrum (and not within everyday reach of criminals).
On the other hand, you’ll find another clutch of security purists that take the term “Advanced Persistent Threat” precisely as you’d expect to interpret each word in the English dictionary.
There are of course all sorts of problems. For example, what precisely constitutes “advanced”? To the average corporate security defender, “spear phishing” may be sufficiently different to all the bulk spam their company gets each day to meet the criteria for “advanced”. Meanwhile, for a system administrator only partially familiar with the network worms of the early 2000′s, the current batch of Brazilian banker Trojans would be more than “advanced”. And, for the CEO of some large company, the prospect of being hacked and backdoored over their WiFi connection during the flight between Atlanta and San Francisco would likely lie between “advanced” or downright magical.
The point is, depending upon your experience with cyber threats and your ability to validate their technical capabilities, one man’s APT may be another’s script-kiddie hack or yesterday’s news. I think that Arthur C. Clarke said it best – “Any sufficiently advanced technology is indistinguishable from magic” (or in this case “advanced”).
To date, the term APT has been thrown about so often and used in so many different ways, that it’s probably impossible to revert it back to what most security purists would like (or insist). This obviously isn’t a new problem for the community. Another term that has been subjected to the precisely same social and media stresses is “Hacker“. You can check out the history of what “hacker” means – but today’s interpretation is completely different from what was intended – and yet people still use the term in various ways with different people.
There’s a problem though, just as the term “hacker” can have negative and positive connotations depending upon who you’re talking to, “APT” may be a door opener or a closer (for example, with close security friends and colleagues, we’re hackers – with prospective customers we’re Penetration Testers and Security Consultants – if we’re responding to press attention we’re whitehat or ethical hackers – and, in other places we’ll use the context of bug hunters and reverse engineers – all depending upon how you think the person you’re speaking to will react to the word “hacker”). This is becoming more pronounced of late. For example, here are some (paraphrased) quotes I’ve heard lately:
- “I don’t need any more IPS – I’ve got tonnes of the stuff. I need to prevent APT’s”
- “I’ve already got anti-virus, now I need Advanced Malware detection capabilities.”
- “I have an incident response team that covers APT’s. I need protection against NG Malware.”
- “I need to stop the malware from China. Get me an anti-APT gateway!”
- “APT’s only affect the government and Google. No foreign government would be interested in us.”
- “APT’s? I’ve got a dozen of them squirming in my network. How do I block them?”
There are several more laughable quotes and a bundle of R-rated ones that I’ll refrain from posting here. The point is that the term APT means different things to different people – and will continue to do so – regardless of any purists intentions to clarify what the term means. On a related note though, trying to clarify things by dividing the various interpretations of APT in to separate sub-definitions (each with its own TLA) is inevitably doomed to failure. As someone once mentioned to me, “the problem with standards is that everyone wants their own”.
– Gunter Ollmann, VP Research
