Advanced Persistent Threat (APT)

It’s taken me a few years, but I’ve come around to this buzzword. It highlights an important characteristic of a particular sort of Internet attacker.

A conventional hacker or criminal isn’t interested in any particular target. He wants a thousand credit card numbers for fraud, or to break into an account and turn it into a zombie, or whatever. Security against this sort of attacker is relative; as long as you’re more secure than almost everyone else, the attackers will go after other people, not you. An APT is different; it’s an attacker who—for whatever reason—wants to attack you. Against this sort of attacker, the absolute level of your security is what’s important. It doesn’t matter how secure you are compared to your peers; all that matters is whether you’re secure enough to keep him out.

APT attackers are more highly motivated. They’re likely to be better skilled, better funded, and more patient. They’re likely to try several different avenues of attack. And they’re much more likely to succeed.

This is why APT is a useful buzzword.

Tags: advanced persistent threats, hacking

Posted on November 9, 2011 at 1:51 PM • 84 Comments

Comments

Barbie • November 9, 2011 2:05 PM

They’re likely to be better skilled

Oh, you mean they’re more apt ? (Yeah, I’ll show myself the door).

swim • November 9, 2011 2:07 PM

“An APT”

See, that’s a usage I can get behind. When I see “The APT” I just mentally substitute in “the boogieman”.

Jack • November 9, 2011 2:12 PM

April fools?

Please?

Kim Davis • November 9, 2011 2:25 PM

I think another aspect of APTs is patience. The attacker will lurk on your network until it’s discovered, collecting what it wants over a period of months, even years.

Arclight • November 9, 2011 2:32 PM

RI think Bruce is making an important distinction. The way he is using “APT” describes a motivated attacker using whatever technologies he can to better attack a specific victim. The term as it’s used in the trade rags seems to imply something ambiguously related to better targeted malware and involving Russian programmers and/or Chinese spies.

The resources and motivation of the attackers is key here. I seem to recall a security term that defined a threat as “hostile intent plus capabilities.”

Arclight

Mark • November 9, 2011 2:32 PM

Trying to prevent an APT style of attack is a fools errand, there is always some way to get in, computers and people are never perfect. This is true of any system, not just computer systems, nothing is perfectly impenetrable to a motivated and resourced attacker.

The best possible response is not to lard up your security policies and technologies with a lot of expensive and useless geegaws but to invest in a competent audit function. You can’t prevent an attack from succeeding but you might have a chance of detecting it after the fact, shutting it down or allowing it to grab misinformation. Audit and detection allows for some measure of control after an attack has occured.

Mark • November 9, 2011 2:37 PM

In the trade rags, APT means “give us a lot of money for expensive BS so you can CYA when you get popped” or “give us a lot of unchecked authority so we can do whatever we feel like without consequence”. Both are parasites on the system and are not useful.

Jack • November 9, 2011 2:47 PM

Mark, I think you’re right, but I’d also argue that there is a term for that: targeted attack.

I’d wager a large sum that this distinction is not going to be observed by most. Instead, I think the headlines will read: “Bruce Schneier: APTs are Real” followed by a recitation of all the whirligigs you need to buy for your organization, obliquely supported by Bruce’s statements here.

Daniel • November 9, 2011 2:51 PM

I’m glad that Bruce has come around and I agree with the way he defines the term. Yes, there is a lot of money-grubbing BS about APT but that doesn’t mean there is no threat.

I think the biggest people who have to worry about it is ‘big data’. Imagine you have a database that has all the driver’s license IDs. A sophisticated identity thief can could get a driver’s license with his real picture using stolen PII on it but then hack the system and replace it with a fake photo thereby defeating any FRS.

The issue isn’t how likely this attack is to succeed. The issue is that this type of APT is a very different beast than your normal Anonymous hacker. It requires you to think very differently about prevention, detection and auditing. Because it’s not the big data leak that shows up it the press that kills you with the public; it’s the death by 1000 cuts that can ruin trust by the legitimate users of your data.

Dom De Vitto • November 9, 2011 2:54 PM

Actually, the real worry with APT isn’t that they are advanced, but that they are good security folks.

Good security folks think with breadth and depth – if you can’t get through the firewall, can you spearfish the CEO? What about getting into the building through the drain? or Van Ecking the Personal Assistant’s home PC? Or setting up a fake government health & safety audit?

They may fail, but at worst, all that will do is raise internal awareness for a while – in a little while even the same failed approach may succeed.

Oh, and the real issue with APT is that it’s usually performed against assets that have greater very-long-term strategic value than even your organisation knows. e.g. your telephone list is not a problem to loose, right? What about if your main competitor tracks copies over a year or so, and headhunts only those staff that are getting promoted? Not nice.

What about little things like getting into your executives private email and finding dirt to release to the press, public or wives, to dump your stock, and discredit it’s board – ahead of a hostile takeover. Not nice.

To understand APT, you need to think about where the organisation wants to be in 10 years. That’s where your adversary wants to be, and anything they can do to trip you up is legitimate activity.

David • November 9, 2011 3:17 PM

The only thing the “A” in APT can stand for is adequate.

No skilled hacker, however advanced, is going to waste time on advanced techniques when the current state of security is generally very poor.

Sadly this is an overused buzzword which should only be useful for the marketing departments of security companies.

Implementing the top 5 measures from any top 25 list (SANS or the Australian CSOC) would mitigate much of the current threat and actually raise the bar for attackers. No surprise that number 1 on most of these lists is “patch your OS and software”. And yet the companies who are hit because they outsourced their IT at bargain prices still swallow the “advanced threat” pill.

ghostxyz • November 9, 2011 3:25 PM

I think there is a clear confusion around the A and the P in this acronym. I would argue that “Advanced” is not nearly as relevant as the “Persistent” part. The SK Communications hack was very nicely done – it could even be “Advanced” – but it was not so special that it needs its own name.

I believe originally the “Persistent” part was key because it characterized attacks that intended to stay dogging the target for an extended period of time. In cases where the attacker was discovered and rooted out, the bad guys would return a year later because time-bomb type sleeper programs would awake after as much as a year, find that the attacker’s presence was gone, and call back out to a predefined location to let them back in. Now, this is a year later, so it is definitely not a smash-and-grab type of attack, but characteristic of an attacker that is not going anywhere and can be patient enough to see if the life-lines survived the victim’s system purges to let them back in. This type of long-term planning is more characteristic of a nation-state attacker.

Timmy303 • November 9, 2011 3:32 PM

APT is useful, you’re right. Useful to CEOs of security firms who had no business getting as thoroughly owned as they did, they had to blame somebody. This actor has always been around, since Dan Farmer noted the existence of the “ubercracker” in his and Venema’s “How To Improve the Security of Your Site by Breaking Into it.” Nothing new to see here, it’s just funny that they forget that these types exist.

Peter Cap • November 9, 2011 3:33 PM

Well, Bruce, welcome to the debate, pull up a chair, make yourself comfortable.

Brief background–“APT” was originally coined in 2005 or 2006 by analysts working netsec issues for the Air Force. They created this term to discuss a particular threat with the press without invoking its classified covername. So, originally, it was actually meant to be a name–it could just as easily have been Biff or Steve or Maggie.

Later on, people who heard the term but did not necessarily do work in this area took it to stand for a class of threats. Then began the discussion on the nature of “advanced” when their typical M.O. involves spear-phishing and exploits from 2008 (ok, I’ll allow that the methods of controlling their malware can get quite exotic) and how you define “persistent” (including one school that thought it meant “Patient and determined to get into your network” while another group insisted it meant “Once they establish a foothold, they will spread laterally and you will never get rid of them”–note that these are not mutually exclusive definitions).

Ultimately, as analysts, we use terms like “APT” as a shortcut–we take a whole body of data and slap a label on it–then we only work with that simple thought object rather than a giant data set. Only, if you do not already grok that data set, then the label really is devoid of value for you.

So, Maxim #1 for this post–if you are not actively engaged in analyzing and countering APT, then you have no business using the term, because it is a foreign word whose meaning you don’t really understand. I mean this in the nicest possible way, not to shut anyone out, but just to make them aware that when you say “APT” it is a placeholder for a massive body of work that goes back over a decade and is truly globe-spanning. Not a space for dilettantes.

The corollary is that, as analysts, we use terms like this to reduce ambiguity and complexity.. Therefore, if we fail at either then we are actually doing more harm than good.

So, Maxim #2: If your use of APT does not simplify a discussion, then you have no business using it. Again, not trying to shut anyone out here–but the idea of an “Advanced Threat” is currently not well-defined, nor is “Persistence,” so probably the vast majority of people weighing in on this topic are doing everyone a disservice by claiming a certainty that they do not possess.

So what term can we use? Well, on another mailing list, I suggested that, in the interests of clarity, we replace the term APT with the German Neugieriggeheimnisdatensüchtigecomputerstreber: “Nosy computer nerds addicted to secret data.” It evokes the intent of the threat without quibbling about their capabilities–or, in other words, makes this a discussion about people instead of technology. Anyone who has worked this issues extensively will probably agree that the key here is not how many zero days are being held for some “cyber Pearl Harbor,” or what their precise tactics are when they get into your network, but rather why they do what they do and what they are trying to accomplish.

Regardless of the label used, however, there is a tendency for them to take on a life of their own and begin to drive the conversation (“define ‘advanced…'”), and when this happens (as it has happened with “APT”) then it has ended its useful life to analysts and other people working on the problem. Therefore, Maxim 3: Guard against the buzzword driving how you think about the problem.

So, I’m glad you are entering into this discussion, even though I fear you are walking into the bar just after Last Call. I would really enjoy reading your thoughts on the media hype surrounding “APT,” the various vendors trying to cash in (notably Symantec, Mcafee, Trend, and Dell), whether or not these trends are beneficial or harmful, and what the ethical considerations are that we need to take into account (y’know, just in case you’re at a loss for something to blog about someday).

karrde • November 9, 2011 3:41 PM

The scary thing about APT is the (unmentioned) “targeted” component, combined with the “persistent” component.

My first thought is that national Intelligence firms and their Counter-Intel wings have been doing APT on each other since the middle of the 20th Century. (Perhaps earlier…)

The first examples that came to mind were Aldrich Ames and Robert Hanssen, but Wiki claims that they both offered their info for money. (At first, Ames gave info known to be nearly-valueless, in an attempt to help his superiors develop a mole in the Soviet Embassy. But he got addicted to the money, and kept on offering info…even when his contact told him that the KGB was wrapping up CIA field agents left and right!)

Are there better examples in international espionage of APT turning into a big success?

Secondly, I am assuming that the transition from paper-based-office to electronic-document-based-office raised the potential benefit from an APT attack. That is, an APT attack that gave access to a cabinet full of paper is much harder to turn into a success when compared to an APT attack that exposes important business DB’s.

This may mean that even though international espionage appears to involve APT, the benefit to the APT had to be high before the Intel services involved would attempt such. This doesn’t really invalidate my first assumption, but I’m not really sure.

cyber-rich • November 9, 2011 5:03 PM

The problem with APT as a buzzword is similar to the problem of “Cyber” as an adjective for anything to do with Computer Security. There is budget for Cyber and there is budget for APT. Follow the money.

I need a new name for what I do, so as to get away from these buzzwords and get on with the job. Can someone tell me the what Cyber and APT might be called in 3 years time?

Sam • November 9, 2011 5:12 PM

@Peter, I’m intrigued by your ideas and would like to subscribe to your newsletter.

MeMyselfAndI • November 9, 2011 5:23 PM

So, Maxim #1 for this post–if you are not actively engaged in analyzing and countering APT, then you have no business using the term, because it is a foreign word whose meaning you don’t really understand

Maxim 1 for the win. I hate it when people whom have never seen the traces or been to the briefings use the term APT. It makes my skin crawl – since these same people, way more often than not, have no concept of what it means to take on a specific enemy who has lots of time, lots of clue and lots of money at their disposal.

Jim • November 9, 2011 5:25 PM

Jeffrey Carr suggests that “Adaptive Persistent Attack” APA is a better term for what people think APT means.

http://jeffreycarr.blogspot.com/2011/11/words-matter-dump-apt-for-apa.html

Daniel • November 9, 2011 7:37 PM

Peter Caps post is an excellent illustration of the problem. Everyone is trying to shoehorn different threats onto the same term in order that their product catches the buzzword’s wave and corresponding sales. I’d argue that it really doesn’t matter what ATP means so long as it has a /consistent meaning/. Other threats can have other names.

In terms of Peter’s post I have always understood the “P” to mean “Patient and determined to get into your network”. I totally reject the idea that it about nosy nerds and I hope he meant that part of his comment facetiously.

Nick P • November 9, 2011 8:33 PM

I still disagree with the term. The majority of APT’s I hear about are just hacking. Essentially, the media (and maybe Bruce now) defines what used to be normal hacking (find vulnerability, exploit) to be “advanced,” perhaps because all of the off-the-shelf kits & books saturated the underground with script kiddies. There’s nothing advanced about using 0-days you bought, macro viruses, spearfishing, etc. These are straight forward & we did better than that in high school with little experience.

As this discussion happened on Krebs, I’ll just repost Luiz & I’s posts below:

LUIZ’S POST FOLLOWS

APT = Target Phishing + Social engineering + Lack of information security awareness + IT assets misconfigured.

The origin of word Attack is Attach, c.1600, from Fr. attaquer (16c.), from Florentine attaccare (battaglia) “join (battle),” thus the word is a doublet of attach, which was also used 15c.-17c. in the sense now reserved to attack. It is interesting because the APT (Advanced Persistent Threat) attacks are based on malicious attachments and are not highly advanced and sophisticated. Attackers take advantage of organization making simple mistakes. They call the attack as an APT because the organizations does not know what happened but send emails to targets with malicious attachments, monitor their treatment and escalate privileges is just an step of the Social Engineering Pentest using emails.

The most common way for cyber attackers to gain access to an organization’s network is through spear phishing, in which the attacker sends an email that looks like it came from a trusted source, when opened, installs that will enable them to exploit the target’s network. The compromised system continues to work without any evidence that the network is compromised. Information is gathered for future (and persistence) attacks and to escalate privileges.

The attackers use new designed and customized malware to circumvent most common defenses and focus their tools and techniques on a specific target or just evading techniques, breaking the trojan file into multiple pieces and zip them as single file, changing the content of the trojan using hex editor and also change the checksum and encrypt the file and change trojan´s syntax to convert an executable file to VB script or Office files.

Create a dropper, which is a part in a trojanized packet that installs the malware on the target systems and create a wrapper using tools to install trojan on the victim´s computer with an innocent looking extension (.pdf, .doc, etc) is not necessarily advanced. When the victim runs the wrapped file, it first installs the trojan in the background and then runs the wrapping application in the foreground. Trojan server is installed on the victim´s machine, which opens a port for attacker to connect. The client is installed on the attacker´s machine, which is used to launch a command shell on the victim´s machine.

Command shell trojans gives remote control of a command shell on a victim´s machine. The trojan looks for using the victim´s machine for illegal purposes, such as to scan, flood, infiltrate other machines, steal information such as passwords and security codes using key loggers, replace OS critical files, download other malwares, record screenshots, audio and video, disable the local anti-virus and the personal firewall and infect victim´s computer as a proxy server for relaying attacks and use that machine as a convert channel.

Compromised machines become springboards to infect other machines and the entire network. As the network becomes infected, backdoors are installed to gain further access to the company’s infrastructure. With the proper credentials in hand, the attacker controls the compromised system. As the infiltration continues, the victim’s network passwords are grabbed, email and files are stolen, and even the network topology itself is uncovered. The attack continues to expand its reach in the network into more sensitive systems via the Botnet master’s Command and Control infrastructure placing more and more critical data; such as financial data, marketing plans, and research and development information, at risk. With one compromised system, an attacker can establish full control over much of the corporate, enterprise, or critical network infrastructure.

Reconnaissance, scanning, gaining access, maintaining access and clearing track are basic steps for any attacker or pentester and hiding files, cracking passwords, escalating privileges, executing applications, covering tracks are not new either advance and APT is just a new scary thing to say.

Luiz Firmino, CISSP, CISM, CRISC, C|CISO

MY REPLY

Darn, Luiz, you beat me to it. This whole “Advanced” Persistent Threat monkier has been aggravating me because it’s applied to what’s essentially basic hacking. Even back in the NT days, we used many techniques to compromise systems. Unlike the script kiddies, real hackers were very effective problem solvers & would use any series of steps they needed to achieve the goal(s). There’s nothing advanced about that.

They are just using APT to drum up sales in the INFOSEC and news markets. Companies seem to be using the term to hide that their software, systems, procedures, etc. can’t stop the average high school grade hacker. This trend needs to stop. Companies need to re-evaluate how they handle security & do something that actually works. They can start by applying some of the recommendations that their IT security staff have been giving them over the years.

And only truly advanced attacks should be labeled as such. In modern times, I think I’d have only given that label when the encrypted, P2P, DNS shifting C&C systems appeared. That was pretty advanced, at the time. Advanced system attacks include using covert channels, processor errata, BIOS/OS combined infection, firewire (at the time) & BootJacker. (That was an awesome piece of work, actually, so I linked it.)

Bootjacker
http://srgsec.cs.illinois.edu/bootjacker.pdf

EDIT TO ADD: Anyone who read the Certified Ethical Hacker study guide & put it to work for a month knows enough to do most of what Luiz mentioned & “APT” guys did. People possessing this aren’t considered advanced at all: they’re baseline. Baseline offensive techniques + shoddy IT security practices != advanced compromise. This term needs to be totally redefined or erased altogether.

Nick P • November 9, 2011 8:42 PM

@ Jim

Thanks for the link. I like his Adaptive Persistent Attack much better. It conveys a more accurate picture of the events & doesn’t let companies’ with poor security blame the compromise on “advanced” attacks.

@ David

“Implementing the top 5 measures from any top 25 list (SANS or the Australian CSOC) would mitigate much of the current threat and actually raise the bar for attackers. No surprise that number 1 on most of these lists is “patch your OS and software”. ”

Yeah, many attacks would have been prevented by following basic measures & still more by using reasonable measures (e.g. blocking executable content in documents). This is just more dirt in the coffin of the APT mantra.

Daniel • November 9, 2011 8:55 PM

“perhaps because all of the off-the-shelf kits & books saturated the underground with script kiddies.”

Perhaps? If Anonymous=hacking then ‘old school’ hacking=APT.

I do think that language evolves as circumstances change. “Hacking” today aint what it used to be.

I’ll get off your lawn, Nick P.

Andrew • November 9, 2011 11:16 PM

This actually parallels one of the significant problems facing wikipedia. There is a broad contingents of ideological editors out there who’ve gone through the process enough times that they’ve figured out how to promote their content effectively.

RobertT • November 10, 2011 12:12 AM

@NickP
I’m not sure I understand your point.
An advanced attacker will always try the simple attack vectors (even script kiddy attacks) before resorting to more esoteric network entry methods. If nothing else this helps hide the identity and focus/seriousness of the attacker.

So APT in my mind is about the focus of the attacker rather than how advanced the attack vectors are.

Take Stuxnet, many parts of it are trivial, but the depth of knowledge about the target system, that is embodied in the code, tells you that this was absolutely not an accidental virus infection. Once you accept that anyone would invest so much effort you realize the magnitude of the effort that is required to defeat such an attacker. It is somewhat akin to personal defense against a sniper, who has all the time in the world to act.

Apt moo • November 10, 2011 1:58 AM

@david
“And yet the companies who are hit because they outsourced their IT at bargain prices”

This is true i worked for a well known multinational corporation and without using any security tools i found a lot of vulnerabilities like:
*Full disk shared(everyone could read everyone)
*unnecessary services and ports enabled by default.
*weak local admin password.
*blank vpn access password :-O!!! (no certificates, rsa tokens only(6 digit password))
and more (skipped to avoid heart attacks…)

QnJ1Y2U • November 10, 2011 3:41 AM

My prediction: Bruce’s nuanced definition will be ignored, and almost every publicly acknowledged breach will be due to an ‘Advanced’ attacker.

Why? Because it lets the organization off the hook. Even if the attacker braeks in using something simple, they’ll still be described as advanced ….

Clive Robinson • November 10, 2011 4:02 AM

I’m against the term “APT” for a whole host of reasons, not least of all because it is unhelpful, that is it does not bring clarity but “FUD” and it primarily seams to be used by those with something to hide, such as sales people and those too embarrassed to admit they have goofed security 101.

There are two basic ways into anybodies systems, technical and social, it’s as simple as that. We give fancy names to various classess within these two areas but the attack however it is carried out is reliant on either a social attack, a technical attack or as more recently seen a combination of both.

As others have pointed out most of the technical attacks will fail if the sysadmins keep sufficiently uptodate and don’t alow over promiscuous access.

Now it is interesting to see the shift of the attacks away from pure technical to social. Because it is an indicator that an increasing number of sysadmins are groking the technical aspects where they can get control at the borders. However the problem is “managment” who still alow promiscuous behaviour by users for a whole host of faux reasons. Thus many systems are like sweets with soft centers, you have a hard outer shell you have to crack to get at the oh so seductive and profitable soft center.

The easiest way through the hard shell is via “invitation” that is dodgy emails, and web pages. Thus like the trojan horse of old the attacker leaves it at the gates for those inside to activly pull it in. So nothing new here we’ve talked about it one way or another for a few thousand years. The problem is in the ICT industry we use the term “trojan” in a more specific way and seam to forget the simplicity of the original lesson and how it applies across any technology, because at the end of the day it’s not about the hard technology but the soft squishy stuff behind. And as some of us know the basic human has not changed much in ten thousand years.

A number of years ago before APT was heard about I outlined a number of points, the first was how to cross “air gaps” the second that people realy were under estimating the value of the “fire and forget” methodology of bot nets. I actually described how you could put the two together to get a method that would be the current definition of a high end APT attack. This was a year or so before Stuxnet actually kicked at the door and finally set of the alarm, that started waking people up.

Worse since then we have proved that “those who dont learn from history are condemed to re-live it endlessly” in that the old boot sector and BIOS attacks poped up yet again.

So for me APT as currently used does not mean Advanced or Persistant but “Apathetic People Threat”.

If we want to get rid of this then senior managers are going to have to recognise a few basic home truths about the evaluation of business enablers -v- risk.

One such is the “revoking of rights on promotion or job change”, another is “easy working for employees is easy access for malware”. Likewise “Social Networking” for business is an excuse to be less productive not more productive…

The use of Iphones, Crackberries, and all sorts of other Smart device by executives and lower has been proven over and over again to be a major security risk. Not just because the monkeys in suits that hold them spend to much time at chimps tea parties and leave the dam things for others to pick up, but because they insist on mixing business with social, thus can be groomed as an entry point for a more sophisticated attacker.

Oh and when it all goes wrong do they get the blaim, no they blaim either the messenger or the person who was effectivly forced into setting the device up to the whims of the manager in the first place.

Thus arguably nearly all the attacks are due to “social faillings of employees” at all levels and the difficult part is finding which of the pleathora of known technical attacks will do the job of the attacker once they have been invited in.

Tim#3 • November 10, 2011 4:22 AM

Clive is very much on the button there. I would just add one more attack that is relevant in a targeted scenario, where the social engineering goes beyond clicking on a link & involves befriending (or more) an employee and getting them to use their legitimate access for your means. Not that I’ve worked out a foolproof defence to this…

Rob Smeets • November 10, 2011 4:39 AM

It seems to me that was now is commonly called APT was once called ‘dedicated attacker’.

TRX • November 10, 2011 4:39 AM

Take Stuxnet,
[…]
It is somewhat akin to personal defense against a sniper, who has all the time in the world to act.

Not the same thing at all. There was a window a few months long where Stuxnet would be effective. Deploying Stuxnet bought someone a few months of delay at the cost of an immensely valuable exploit, much coding time, and the certainty of hardening security to make any further attacks more difficult.

The key to APT is the “persistent” part. A direct attack might be like a sniper, but a persistent attack is probably more like being nibbled to death.

Dave Howe • November 10, 2011 5:12 AM

Well, one feature of a APT is that they are targetting their attack.

A major downside (for the attacker) of a worm attack like Stuxnet is that it is widely deployed, hence AV companies and active counter-intrusion investigators will quickly have samples to work with, reverse engineer the vuln exploited, and be able to contact the vendor and/or update pattern libraries to block that or at least alert to its presence. That means the attacker has a narrow window where the attack is not being blocked or detected, then a declining curve as countermeasures are written and deployed until the attack can no longer be self-sustaining and stops spreading.

With a targeted attack, none of that is true. A spearphish or 0-day used in a targeted attack is unlikely to yield samples and/or even notification to the big AV companies, and often not even retroactive investigation will show where unsuccessful (but viable) vectors were attempted, and often not even the ones that succeeded. A good attacker could easily compromise eight or nine sites before the first one even discovers it was compromised, and if they can add suitable “watchdog” code to otherwise insignificant hosts (such as printers!) inside the perimeter, could well have access stretching into the months or years after the initial flurry of investigation dies down and the system’s defence activity returns to normal levels.

Cosmin Broasca • November 10, 2011 6:15 AM

Very interesting shortening of an APT definition Bruce. However, security is always relative. what changes here is the security equation: the target doesn’t have to be better than its peers, it has to be better than the attacker’s capability.

paul • November 10, 2011 8:42 AM

Clive is right with this: “Thus arguably nearly all the attacks are due to “social faillings of employees” at all levels and the difficult part is finding which of the pleathora of known technical attacks will do the job of the attacker once they have been invited in.”

But.

This is like the recognition that the proximate cause of almost all airplane crashes is an error by the pilot. It’s not the end of the discussion, it’s the beginning.

john • November 10, 2011 8:49 AM

persistent….hmmmm…. how is it diferent than “kids with alot of free time?”

john • November 10, 2011 8:50 AM

@Dave Howe

with 0day you aren’t an APT since you don’t need to be persistent 😛 you just pwn & rm.

Clive Robinson • November 10, 2011 9:23 AM

There appears to be a conflication of what a targeted attack actually is to the attacker and what an attack appears to be to a defender.

Stuxnet was a highly targeted attack from the point of the attacker, BUT importantly it had to have a broad attack front to succeed.

I made this point some years ago with bot nets and air gap crossing to target vulnerabilities in voting machines.

There are two basic ways to attack an enemy from a distance, one looks like a “guided attack” by precision smart weapons the other looks like the generalised sowing of smart mines in a “fire and forget attack”.

The problem with “zero day” attacks is their very limited shelf life. You can waste them by attacking a specific target in a “guided attack”, or better utilise them by sowing them via a “fire and forget attack”.

The aim of both “guided attacks” and “fire and forget attacks” is to gain a toe hold from which a further consolidating attack can be made.

The problem with a “guided attack” is you require a lot of fairly specific information about the target site to find the actual target system, and if they have air gaped systems you are effectivly stymied.

The “fire and forget attack” gets around this issue by the simple purpose of propagation it’s self as widely as possible getting from machine to machine, memory card / thumb drive and any other method to propagate onto a system. Even if it’s root might be via a service technicians PC in another country.

There are two basic ways to make “fire and forget attacks” work the first is “target recognition” which is what Stuxnet appears to have done. This still requires a very large amount of intel on the target system. The second is to get it “to do an ET” and phone home. That is it either has no or very limited information on the target (if there even is one at this point) it simply sends a limited amount of identifing information that it has found and passes it back through a covert control channel.

Effectivly the attack is a bot net that is not used for the usual sillyness such as high traffic spaming or DDoS attacks that gives it away.

Now look at it this way we know that very noisy Botnets can acquire more than 1.5Million PC’s under one bot-herder. Zeus/SpyEye in it’s various forms has probably invaded a significant percentage of the billion or so (estimated) PC’s that connect to the internet. how many PC’s do you think a similar attack could acquire if they used a very quite covert back channel?

Once a toe hold is acquired in the target network the attacker can via the covert control channel consolodate their position using non zero day etc conventional attacks and if smart cover up the original entry point by making it look like the entry was “a silly user visiting a bad site”. They can also lock the PC down to prevent others attacking thus reducing the chance of other malware triggering a SysAdmin or user becoming suspicious and taking action.

The sad fact is zero day attacks are “unknown” and will remain “unknown” untill either somebody else discovers it, or it makes it’s self obvious to others by lifting it’s head above the noise floor in some way.

Thus for an APT “fire and forgett attack” to beome an APT botnet all it has to do is remain below the noise floor, to do this it needs to make it’s propagation covert and low bandwidth, likewise it’s control channel and finaly it’s nefarious activities to be likewise low bandwidth.

But. the advantage for the likes of foreign nations is the botnet can just sit their doing effectivly nothing accept when the controlers take interest in finding a specific target. In this way it’s back channel will provide highly specific information as to a viable route for a “directed attack” as well as information about the likley patch level of the destination system.

However when you look at the “fire and forget attack” from a defenders point of view provided it is actualy found (doubtfull) and it looks sufficiently similar to other botnet worms/malware then that is how the defenders will treat it, not as a “targeted attack”.

I know that some people will find/take exception with this view point but have a think on it.

Oh and although I have in the past detailed how to provide a decoupled forward command and control channel, I’ve not detailed how to do the reverse channel (although it’s not much more difficult). I have also built an experimental system that was tested on a private network, and it slipped by quite happily all the AV vendors products, and a few years down the road still does even though it did not use a zero day attack…

It can and does show up on a properly configured Honey Net, but then I’ve also detailed in the past how to enumerate those using what looks like mindless script kiddie attacks.

So from my point of view APT is just a fact of life that will be a certainty for anyone daft enough to connect their critical systems to a network be it public or private unless they take other substantive measure well over and above air gapping.

However such systems are clasified by managment as “not being efficient” for a whole host of reasons.

So to stop APT we realy do need to review our work practices and most execs in walnut corridor will almost always chance it, after all they are only going to be there on average for 18months and then they will be somewhere else and it’s not their problem any more. So whilst they “bet the farm” they have already “ridden off into the sunset”…

The way to fix this is to significantly re-work the way execs are paid. A nominal salary and longterm shareoptions might reduce their risk based thinking significantly.

phred14 • November 10, 2011 9:54 AM

Pick-your-definition APT

When I first read this topic, prior to reading the comments, I saw APT and was thinking, “stalker,” as in that recent case where some weirdo undertook a years-long pattern of harassment against multiple (though still a small-ish) number of targets. I hadn’t considered applying APT as a subset of more conventional threats.

But it does impart another thought… “Plan for failure.” For the non-APT you very well may be able to achieve the never-fail goal, with good tools, procedures, and especially philosophy. That’s because the fail surface also has a temporal dimension to it – vulnerabilities will (hopefully) be temporary, soon being patched. Also hopefully defense-in-depth means that you’d need aligned vulnerabilities before a compromise was possible. The temporal dimension works for you, because it’s not clear that your under continuous attack, and a hole may exist briefly, but no one was probing when it did.

With an APT you must assume continuous attack, you must assume learning from those attacks, and one piece of learning will be about your patching process. Either your security processes are perfect, or someday an APT is going to get in. Plan for failure, and how to minimize/mitigate its effects.

LucasErratus • November 10, 2011 10:29 AM

APT is a “who”, classified as a threat actor.

Read more here: What Is APT and What Does It Want?

arbitrage pricing theory • November 10, 2011 10:44 AM

@Peter Cap

Correct!

Now it’s the buzzword of the moment and vendors won’t stop using it on me.

So, Bruce: Please turn around again and don’t let it take a few years! And if BT sends me a message about a new Anti-APT offering to be introduced at a new “APT Summit” conference, followed by a “Who’s Afraid of the Big, Bad APT Webinar” then I will have to explain to my boss the quiet sobbing sound coming from my little piece of Cubicle Nation!

Brandioch Conner • November 10, 2011 10:47 AM

@Jack
“Mark, I think you’re right, but I’d also argue that there is a term for that: targeted attack.”

@Bruce
“Security against this sort of attacker is relative; as long as you’re more secure than almost everyone else, the attackers will go after other people, not you.”

I disagree. The only difference will be whether or not you’re vulnerable to whatever exploit(s) the cracker is using at that time.

The exact same exploit(s) can be used in the “targeted attack” as in your example of widespread collecting of credit card numbers.

And the exact same security precautions will stop both the targeted attack and the widespread attacks.

So the only difference is focus.

So why differentiate based on focus if the attacks and the defenses aren’t any different?

Nick P • November 10, 2011 10:53 AM

@ RobertT

“An advanced attacker will always try the simple attack vectors (even script kiddy attacks) before resorting to more esoteric network entry methods. If nothing else this helps hide the identity and focus/seriousness of the attacker.So APT in my mind is about the focus of the attacker rather than how advanced the attack vectors are. ”

It’s a fair point. Stuxnet was truly an advanced attack. It required considerable resources, time, knowledge, and even espionage. I would also consider advanced the trojan that MITMed a certain bank’s site & showed fake data to the user indicating the proper transaction happened. At the time, the Storm worm also showed great ingenuity.

The problem is that many of these APT’s don’t. They’re merely targeted attacks that use common strategies like spearfishing & COTS malware kits. Most of the time, the reason they were persistent was inadequate investment in IT security, particularly auditing/monitoring. So, the attackers might be advanced & might not. All we know for sure is that most of these “APT” events occur in companies whose security practices are mediocre at best. I’d also call the RSA attackers advanced in your sense of the word: they did an exceptional number of attacks on tons of companies.

Luiz Firmino, CISSP, CISM, CRISC, C|CISO • November 10, 2011 12:48 PM

In other words, summarizing, APT=Target Attack 😉

stopthearguing • November 10, 2011 1:27 PM

Let’s all stop arguing about what the ‘trade rags’ say. Let’s stop yelling that you SHOULDN’T invest in technologies. It’s not product vendors’ faults that you purchased something. It’s yours if you didn’t strategically think about HOW the purchase fits in your organization. You are free to buy whatever you want. You are free to hire the talent you want and you are free to defend against what you think is important. None of this industry infighting and chest pounding changes any of this.

Purchase what you want…buy what you want. Make wise decisions. Ask questions. Stop freaking blaming vendors. If the solution is right and you have the wherewithall to manage the process, and it helps mature your posture against what you’re trying to protect. That’s a good thing. If it doesn’t, that’s a bad thing. It’s still your decision. Vendors have nothing to do with it.

If you are managing a program you better be qualified to understand the relative and PROBABLE threats to your business. There are businesses that do not possess assets which have a high probability of ‘targeted’ attacks. There are business and organizations that DO possess and manage assets which are constantly exposed to highly ‘targeted’ attacks. There are businesses of all shapes and sizes that have to manage against accidents, errors and omissions. These are opportunistic, not targeted.

If you work in a vertical that has a wide ranging impact if you experience an exploit of confidential data or a denial of highly available critical systems…and your assets are incredibly high value…you BETTER be looking for technologies, process and people that are relatively worth the expense given the impact or value of your assets. Period. If you rely on these ridiculous statements of “don’t listen to vendors or service providers and their magic bullet theories” or “APT is made up” or 100 other statements that are constantly floating around Twitter, blogs and other bickering security ‘experts’ then

All of this is relative. APT is real…for SOME industries, not all. Knowing the difference and dedicating adequate resources for the relative level of threat and potential consequence is YOUR responsibility. Not the media Not vendors. Not security VARs. Not bloggers. Not pundits. YOURS.

Think for yourself. And if you’re a professional taking to social media to hate the ‘buzzword du jour’ just because…with no critical thinking skills behind your negativity…then you’re a fool.

Justin Dugger • November 10, 2011 3:02 PM

Having reflected on it, I think the term highlights the real problem with the APT term: we don’t have a corresponding term for people who go after Targets of Opportunity. You call them “conventional”, but I’m not sure it’s true.

And on even more reflection, a sufficiently Advanced Persistent Threat will attempt to masquerade as the hacker of opportunity.

Gweihir • November 10, 2011 3:08 PM

Hi Bruce,
I agree. Although the keyword is “persistent”, not “advanced”. These people may be a bit better than others, but they are not that good. Unfortunately persistence is quite enough for a lot of targets.

Thierry Zoller • November 10, 2011 4:39 PM

Hey Bruce,
Take a look at my Attacker pyramid that tries to captures the difference of motivations, scope and sophistication :
http://blog.zoller.lu/2011/10/attacker-classes-and-pyramid-version-1.html

Nick P • November 10, 2011 5:24 PM

@ Thierry Zoller

I actually like your pyramids in that they illustrate well the current levels of sophistication, attacker types, etc. we’re seeing. Only one critique: I think industrial espionage should be in targeted. It’s hard to say how much goes in each territory, but there’s plenty of commercial espionage that isn’t state sponsored. There are also numerous known corporate spies, although they use the term “competitive intelligence.”

Brandioch Conner • November 10, 2011 5:27 PM

@Justin Dugger
“… we don’t have a corresponding term for people who go after Targets of Opportunity.”

I think the term is “script kiddies”. That is, if they don’t write their own code.

If they write their own code, they’re probably “professional criminals”.

“And on even more reflection, a sufficiently Advanced Persistent Threat will attempt to masquerade as the hacker of opportunity.”

Probably not. A sufficiently advanced attack would not appear to be an attack at all.

Nick P • November 10, 2011 6:27 PM

@ Justin Dugger & Brandioch

Traditionally, we just called them hackers. We only differentiated with a specific term if they were very skilled (leet) or unskilled (noobs or s kiddies). We reserved the word professional for people who made a living off it. The media and movies have continuously made it difficult to standardize the lingo.

Brandioch Conner • November 10, 2011 6:45 PM

@Nick P
“The media and movies have continuously made it difficult to standardize the lingo.”

I think that this industry is also to blame. Such as right now with the discussion of “APT” which seems (to me) to be nothing more than marketing.

Although, as others have mentioned, it can also be used as a synonym for “Chinese”. Which also sounds like marketing to me.

And that’s the core of this problem for me. It isn’t about identifying the real threat and how to deal with it. It’s about marketing a new line of products and services. Your old firewall isn’t enough to stop APT. You need an upgrade.

Nick P • November 10, 2011 6:56 PM

@ Brandioch Conner

“And that’s the core of this problem for me. It isn’t about identifying the real threat and how to deal with it. It’s about marketing a new line of products and services. Your old firewall isn’t enough to stop APT. You need an upgrade.”

That seems to be the majority. The other group is the government trying to use it to push their “cyber” agenda & for control of computers.

Stephen Taylor • November 10, 2011 8:53 PM

APT is a new acronym for me. The advanced (A) part of the term ruins it for me because I would not have chosen that word for the concept that is implied (highly capable). The discussion seems suited to a new way of thinking about threats which is not true in this case. I have been aware of nation-state threats as persistent and highly capable for over a decade.

Paul • November 10, 2011 9:10 PM

I think that is a pretty solid distinction. It is a buzzword that has been gaining traction but it is a specific type of threat/attacker.

Granted some of the other comments have good points but it really is a specific term for a specific type of attack. It is not a shotgun approach. The other side wants in on you. Not 100000 other hosts as well.

bobby • November 10, 2011 9:42 PM

the only two issues with APT is the understanding of advanced and threat. Keep it simple. A threat is just that. It may be big, or small, not advanced. Unless you mitigate or remove the threat if possible, it will persist or should i say exist, period. Most threats are here to stay, its just your resilience that counts. i.e APT-Advanced Preventive Tactics

jtimberman • November 10, 2011 11:58 PM

Every time I see APT I think of the Debian/Ubuntu package management system, as it has been around for 12 years.

RobertT • November 11, 2011 2:10 AM

@NickP
“Stuxnet was truly an advanced attack. It required considerable resources, time, knowledge, and even espionage. ”

Agreed, My point was that Stuxnet was so specifically tailored to infect a known network. There is nothing accidental about the code, or the infection. The fact that USB sticks were the main infection vector is irrelevant. The effort shows that they would have found another vector had this not worked.

The point of using all the Zero-days was not entry but rather prolonging the time from entry till discovery. In many ways Stuxnet was discovered because it was too aggressive and infected PC’s outside the target institutions. Many believe that the original Stuxnet version was not aggressive enough, so they changed to code to expand the spread of the virus, which is when they got caught! Possibly intentionally caught…

To be honest I’m not even sure if I should believe that Stuxnet / USB was the network entry / control vector. Maybe it is just the dummy infection that you’re allowed to “discover” whenever you start to get too close to the real control vector. Personally I’d bet on a social engineering vector or compromised employees as the real root cause. In that sense Stuxnet gave everyone at the target institution, a technical scapegoat, so less heads rolled.

My point in the previous post was that there are plenty of possible vectors for airgap jumping viruses, so if your information is valuable than you need to expect to attacks like stuxnet.

Clive Robinson • November 11, 2011 3:32 AM

A thought for those with APT name difficulties.

English is a funny language, with a degree of slackness not found in others.

The word “advanced” in APT can thus have two meanings.

To see this think of two expressions,

1, Advanced tickets
2, Advanced skills

Now the first implies tickets bought “ahead of time” the second implies superior skills.

But what of,

3, Advanced participation

It could have either or both meanings, just like “advanced persistent” it could mean an attack that is well prepared for in advance, or one using advanced skills or both.

But likewise “Persistent”. is another term with two meanings, one relating to the behaviour of the attacker (ie the keep trying) or to the attack in that it is persistent (ie it remains hidden for a long time).

The naming is just another reason why I hate the term, because it’s nearly meaningless as the scope is so broad.

And ever since George Orwell came up with the idea of “double speak” that we now call “Spin” I associate all such things with an attempt to deceive on the part of the person using the expression.

And low and behold that appears to be just what it’s used for. Sales people use it to flog new kit. The War Hawk “APT Mob” use it to single out China (and ignore the British French Russians Israelis et al who are all at it rather better than China). Oh and then we have the likes of RSA etc who’s executives have taken a stupid risk, and been caught out use it as some kind of “Magic Shield” to divert attention away from their culpability. And then there is the press with their nasty little twisty ways and weasel words distorting meaning to whatever line their editors and proprieters are currently pushing.

However as we know with the word “Hackers” / “Crackers” debate there is little point fighting the stupidity.

Clive Robinson • November 11, 2011 4:10 AM

@ Robert T, Nick P,

“My point in the previous post was that there are plenty of possible vectors for airgap jumping viruses, so if your information is valuable than you need to expect to attacks like stuxnet.”

And thereby hangs a couple of problems aside from the numerous vectors few seem aware of.

The firstly problem is nearly all our defences are “reactive to known threats” and thus are nearly usless to “unknown threats”. Worse many are unreactive to “known threats” that are less than a year old…

Secondly nearly everybody cannot give a real value to the information we hold, thus we don’t have a clue as to how many resources we should devote to protecting or in which form.

Much of the second problem is due to poor hazard perception, as indicated further up this blog page a company phone book is usually regarded as effectivly “public” but having a succession of them not only tells you who the company “hot shots” are but also potentialy the strategic direction of the company.

We have seen another classic example with the firm that had very confidential reports where access to the actual reports was strictly audited. But… the search mechanism for the titles and authors was not. Thus it was (allegedly) possible for an individual to use the titles and authors to perform insider trading. With 20/20 hindsight it was an obvious mistake, but honestly how many people poses the sort of squirrely mind to have the foresight…

Thus it would appear that everything should be “locked down” and “strictly audited” and the systems should be strictly issolated etc etc. As the Three Letter Agencies and military supposadly had at somee point prior to Private Manning.

But the flip side of this is as we know such systems become progressivly more and more unusable. Often being less usefull than a paper report buried at the bottom of a box in Iron Mountain or some other distant repository effectivly being one step up from the re-cycling heap.

It is a problem which has another aspect, as has been seen when certain technology companies have locked down their systems they will have a mysterious break in resulting in the information loss anyway, with potentialy the loss of life or harm for any individual in the way at the time of the break in.

Yes there are ways to make this sort of information difficult to steal, but as was seen with Stuxnet and the code signing certificates you have to know the value not just of the information, not just of the keys by which it is locked, but also the value of the systems managing and generating the keys.

Thus it becomes clear that hierarchical technical systems will be come circumvented by those with sufficient resources, as they will tarket the very top if required.

Thus another aspect to consider is having non hierarchcal security systems whereby the strength of the system is obtained via many almost minor points not just a single point that becomes weak under the appropriate stress.

We have one or two systems (M:N key shares, distributed striped file systems etc) but by no means sufficient to evaluate an overall system.

RobertT • November 11, 2011 8:03 AM

@CliveR

“The firstly problem is nearly all our defences are “reactive to known threats” and thus are nearly usless to “unknown threats”. ”

The problem is even worse than you state because not only can the attack vector be unknown, but the very possibility of this vector existing can be unknowable.

As an example:
today it is very common to combine multiple functions onto a single chip (in phones GPS, BT, WiFI, FM) are often combined on the one (combo-chip). The customer might only want a GPS chip BUT the IC maker sells him a combo chip with the other functions disabled at powerup. The Functions are often completely usable but the GPS maker does not even know he has this functionality. He than, in turn, sells it into some Gov’t system and claims there is no possibility to exchange information. Unfortunately he is wrong and with the right firmware change the chip will happily enable BT. Sometimes the default PCB layout will even have a printed dipole antenna, so if you enable the function, you’ll have a full bi-directional multihop mesh RF comms link, that no one even suspects exists…

Believe me, these days selling chips with functionality disabled is very common, because the costs of doing a separate chip are just too high. Even simple functions like a ADC (Analog to Digital Converter) might be sold as just an ADC but in reality it might be the AFE section of a cell-phone with everything except the ADC disabled.
You see a standalone 100Mhz 12bit ADC might sell for $5 but the whole cellphone chip sells for $2 .

Welcome to systems, software, firmware all on one chip, where VERY few people actually know whats inside.

Jeff Morrissey • November 11, 2011 8:26 AM

I think a great example of an APT is the recent rash of celebrity GMail account hacks using the password reset function. In this Facebook age, it’s probably a good idea to choose your security questions wisely. If it involves your parents names, your schools, your pets or anything else that’s easy to eblab about, then they probably aren’t a good idea.

echowit • November 11, 2011 9:40 AM

Wow! Am I old!

First time I saw APT I thought of “Automatic Programmed Tool”, the siren that lured me into computers in the 1st place.

Still miss the single statement: “If (x, – this, 0 that , + something else)” functionality.

Sorry for the side bar.

Martin W • November 11, 2011 10:43 AM

My most “cringeworthy” observation of the term APT is when some exec at a security service provider or large government supplier pulls out the APT card to “explain” why they were subverted (and why they should NOT be fired). What they fail to mention is the actual attacks were not in fact that advanced (often using well documented and avoidable exploits) since they were targeting an organization with a failed security readiness, neither were they persistent since the attackers actually got in pretty much at the first attempt. The only threat here is that the same folks that were the root cause of the weak security state are still in charge of it.

Maggie T • November 11, 2011 8:33 PM

Bruce, it is good to see that you’re attendance at the AISA conference in Australia this week has helped you see the light on this point.

Classic • November 11, 2011 10:15 PM

If an APT is detected, it’s not an APT.

Maggie T • November 11, 2011 10:33 PM

What is an attack? In cyber space it is a activity designed to destroy, deny, degrade, disrupt or manipulate the target information or system. It will be apparent to the owners of the info or system. It is plain old sabotage.

Most of the maliscious activities we see on the Internet are not attacks. It is exploitation or intrusion, or more simply, just plain old theft or espionage.

Brandioch Conner • November 12, 2011 1:03 PM

@Martin W
“The only threat here is that the same folks that were the root cause of the weak security state are still in charge of it.”

Did the crackers get in because you configured the firewall wrong?
– You need the APT upgrade to your firewall!

Did the crackers get in because you didn’t have anti-virus on your systems?
– You need the APT upgrade to the anti-virus package!

Did the crackers get in because you didn’t patch the systems?
– You need the APT patch reporting package!

Did the crackers get in because … ?
– You need the APT … upgrade/package!

Our APT systems are 100% guaranteed to shift the blame from you to your previous products and vendors. All for the low, low price of whatever you’re paying today plus a mark up.

Remember, if you got “hacked” it was an APT! There was nothing you could have done to prevent it or mitigate it. Our marketing team is willing to stand behind you with marketing brochures and “studies” showing how it won’t happen again once you purchase our products and services.

Nick P • November 12, 2011 5:25 PM

@ Brandioch

You got them figured out so well i’d almost think you worked for their sales team. 😉

Clive Robinson • November 13, 2011 5:05 AM

There has been a presentation by F-Secure CEO Mikko Hypponen at PacSec 2011 in Tokyo that basicaly indicates that contrary to that which is claimed by the “China APT mob” war hawks, many other nations are probably using China as a cover for their own activities.

Further that a temporary solution might be to expunge Adobe Reader from all your systems and replace it with a faster less bloated open source or equivalent PDF reader that is free to use.

I’ve put the link and some thoughts on both issues over on the friday squid page,

http://www.schneier.com/blog/archives/2011/11/friday_squid_bl_299.html#c624376

rather than repeat them here.

ITI • November 14, 2011 3:01 AM

Wow, 70 comments ? You’re right : APT is a useful buzzword ! :o)

Andrew • November 14, 2011 4:21 AM

“All that matters is whether you’re secure enough to keep him out.”

I guess being sexist in the IT sector is allowed.

Mina S • November 14, 2011 10:11 AM

I realize that the profit motive is in fraud-enabling corporate data but there is also considerable personal risk in the locational information of vulnerable persons who are hiding from a personal stalker (like victims of domestic violence).

A personal stalker is the sort of attacker is not after corporate data as much as personal locational data of the individual target.

And the logical place to get locational information on an individual is from companies that provide the “necessaries of life” with whom the victim has no choice but to do business (like governments, banks, and utility companies) . They acquire that information in the ordinary course of business and if they fail to adequately secure against a APT an innocent life could be lost.

Nick P • November 14, 2011 12:43 PM

@ Andrew

“I guess being sexist in the IT sector is allowed.”

In science, using terms based on their probable occurrence is allowed. Most of these hackers are men.

Ron LaPedis • November 14, 2011 3:22 PM

To me, the easiest way to describe APT versus other hacking activity is through an analogy to the physical world. If a drug addict just wants money, he or she will break in to the least-protected house on the block. The one with the obvious alarm system will be safe – just as Bruce says.

If, on the other hand, the criminal is on a specific mission to steal a specific item, say a newly-developed drug that is the only thing that will save his or her child’s life, the target can only be the location where the drug is stored. Since it is a matter of life or death, any resource necessary will be brought to bear to achieve the goal.

And to the point of trying to defend a single, known target, imagine castle warfare. The defenders need to protect every possible entry point at all times, even ones that they might not know exist, with limited resources. The attacker, on the other hand, has all the time in the world to analyze the situation to determine and attack the weakest point with as much force as possible.

Terrorists take the same route. Look at how much Al-Qaeda spends versus the annual budget of the TSA.

Ron LaPedis, CISSP-ISSAP, ISSMP, MBCI, MBCP

HtmlFail • November 14, 2011 9:03 PM

Two very interesting (vendor neutral) research papers on this topic are available at:

http://www.commandfive.com/research.html

One discusses the definition of APT in context of the global cyber threat environment – showing by way of specific examples an increase in activity over the past decade. The increasing activity correlates, at least in my opinion, with the term moving into common use as a way to define a class of threats rather than a specific threat actor.

The second paper looks in detail at the SK Communications hack (mentioned in an earlier comment). This intrusion was executed by first targeting a trusted third party and building on that access to obtain the personal details of over 35 million Nate/CyWorld users. The attack is especially interesting because of the indirect targeting and the exploitation of a software update server, turning the standard security practice of patching into a vulnerability.

In combination these documents make an important point. Many security experts will dismiss the class of threats described by the term APT based on a lack of documented persistence and a perceived lack of complexity in their attacks, often citing well publicised and simplistic spear-phishing campaigns as an example. The papers demonstrate that this class of attacker has the ability to upgrade their sophistication as required to obtain their objective. The ability to selectively deploy capabilities in this way (i.e. based on the strength of one’s opponent) is critical to winning the long game and in my opinion makes APTs even more worrying.

Ash • November 15, 2011 4:15 AM

APT, APT,APT… honestly did it take this long to accept the term that actually says nothing about technology but more about the need to succeed. Lets open the debate and discuss real world examples of APT’s, things such as AETs (Advanced Evasion Techniques) these are things we can protect against, rather than discussing APTs which is really just a need, want and ideology of a individual or group. But AETs are just one example of APTs as are DDOS attacks.

Brandioch Conner • November 15, 2011 10:34 AM

Or, to put it a different way, no one ever successfully defends against an “APT” attack.

It is only after systems are compromised that the successful attack is referred to as an “APT”.

If you successfully defend your systems against a 0-day worm attack by following basic computer security practices, then it was not an “APT” attack.

If you fail to defend your systems against a known exploit that has had a patch released for over a year that was not correctly applied to your systems (which also had no other means of defense) then it was an “APT” attack. And, as such, not your fault.

That is why the term “APT” is useless except for marketing your products and services.

Dirk Praet • November 16, 2011 6:58 AM

Late to the party.

I believe it would be useful to differentiate between a specific class of attacks, and the way certain marketeers, product managers and fear mongerers are trying to use it for financial and political gain.

Ultimately, the same is true for most IT and other buzzwords. I had a great laugh a while ago overhearing a cloud discussion between a marketeer and some devops guy. For the layman, it appeared they were talking two entirely different things.

Mike Wenstrom • November 16, 2011 10:11 AM

Bruce, it’s good you weighed in on the APT concept. While @Peter Cap offers insight into why the term APT first began use, the security industry used the term to indicate a “Threat” or attack class rather than a specific single attack. Experienced people like Peter Cap should help guide the security community into more specific and accurate definitions of APT, and not claim the term cannot be used unless you are of his anointed security class. APT as a term is here to stay. APT as an attack class/concept should over time become more specific with examples of specific attacks that fit the class. The fuzzy term “threat” in APT was useful when the attacks were unknown and unknowable (outside of classified circles) but is less useful and should come to mean “Attack(s) as more is learned of what is and is not an APT. What will help ease the APT FUD is multiple examples of attacks that fit the APT attack class characteristics. Then security vendors can offer specific solutions to APTs.

Mike Wenstrom • November 16, 2011 10:26 AM

@Classic, or once an APT is detected it is no longer an APT, an unknown attack.

Ev1l Wrangler • November 18, 2011 3:09 PM

Hi Bruce,

I’m the CTO of a Fortune 100 company, with a budget of hundreds of thousands of dollars for equipment and a staff of very smart people doing ‘security’ around the clock. Yet no one can tell me why, with all our gear, policies, compliance, and people – it took Google to find Aurora (and even Google first thought they were just compromising a couple of gmail accounts).

How come, with all our firewalls, IPS, logging, etc. nobody spotted them stealing our competitive advantage?

=;^)

Michael Bacon • November 20, 2011 4:29 AM

I have referred to these as “Persistently Intrusive Threat Actors” for about 10 years. My acronym – PITA – seems more apt [no pun intended].

Randall • November 20, 2011 11:56 PM

Sure, the sort of attack Bruce describes happens and that APT was coined to describe it.

But folks are seizing, validly, on two things: 1) the APT acronym doesn’t really say “targeted, skilled, high-resource attack carried out over time.” It gestures towards “skilled” and “over time,” but the “targeted” and “high-resource” parts are equally important — in fact, it’s precisely because the attacker targets a lot of effort at your system that it you can’t get away with just being better secured than the next guy.

2) the term’s way too broadly applied. Maybe that’s easier to get away with because the words are so subjective (what exactly counts as “advanced”?). And because “advanced persistent threat” leaves out critical detail; see point 1. 🙂

I guess we can’t really pick which terms the industry will use, but there’re good reasons for people’s unease.

Jimmie Walker • November 26, 2011 10:21 PM

As an aspiring Cyber expert pursing a Masters in Cyber security from the University of Maryland University College (UMUC), I can relate to your APT post. A company under attack by an APT can’t rely on good enough security. An APT attacker can be relentless in finding holes especially in off the shelf security solutions. That’s why it’s important for companies to have security staff that can think out of the box when securing corporate IT and data assets.

Jim

Advanced Persistent Threat (APT)

Comments

Leave a comment Cancel reply