Faustus January 3, 2019 10:06 AM

Could Ms. Gaperon be another “expert” who doesn’t know how to code?

She claims that Advanced Persistent Threats are nation state actors.

I’ve always understood them to be stealthy rootkit based malware that is designed to compromise a target and remain there for a long time by being hard to find and resistant to cleaning efforts.

She says they are people, I say they are technology. A baseball is not a baseball player.

QnJ1Y2U January 3, 2019 11:46 AM

Eva Galperin, not Gaperon.

O’Reilly has a book out listing experts in this field:

Profiled in that book: Bruce Schneier. Also profiled in that book: Eva Galperin.

So yes, she is an expert.

I’m going to suggest that you take your sexist scare quotes and go argue about definitions somewhere else. You should start at Wikipedia, since they don’t share your take on what an APT is.

Humdee January 3, 2019 1:44 PM

I’ve mentioned and linked to @evacide on this blog before. I like her. IMO she is one of the few cybersecurity experts who gets the intersection between theory and practice. Too much cybersecurity gets bogged down in chasing cool and interesting but unlikely threats, debating abstract policy, or goes down the rabbit hole into complicated math that only a few thousand people on the planet can understand. Eva understands that cybersecurity is oten “the best we can do right now” and that most people don’t have the NSA in their threat models.

Clive Robinson January 3, 2019 2:59 PM

@ Faustus,

She claims that Advanced Persistent Threats are nation state actors.

As with many other definitions things change with time and perspective. You only have to look at “hacker” to see that.

The current “journalism view” incorrect as it is to “technologists” is APT is the SigInt agencies or their “arms length contractors” who give “plausable deniability”.

Incorrect though this very limited view is historically and practically that’s what the MSM and some “techno journos” think it means.

With regards,

I’ve always understood them to be stealthy rootkit based malware that is designed to compromise a target and remain there for a long time by being hard to find and resistant to cleaning efforts.

That is a technical view point and is a muddle up of different things.

APT is any “long term use malware that is covert in operation”. It does not have to be either hard to find or hard to remove. The key differentiator is “long term use” at the time the phrase was coined it was to do with Chinese malware which was being used to gather information over months and years but not for direct monetary gain which ment it was generally covert. This distinguished it from criminal attacks where the monetary value of the data tended to be inversly related to time, which encorraged “smash and grab” type tactics that tended not to be covert in any way.

They APT Malware does not have to be a rootkit at all, in fact the world has kind of moved on from them in terms of being covert. OS Rootkits are relatively easy to find these days and signed code loaders mean that there are otherways that are easier for most attackers. For instance any hardware that can get at memory after the code is loaded can do it’s stuff in relative safety. There are mechanisms from decades back where driver code can be loaded before the OS Bootloader that enable it to be persistant without it needing to be signed that can then pull in malware that can be loaded without the OS load mechanism seeing it. If you want a tipping point for this happened it was shortly after BadBIOS which made the idea of simple persistant device driver loading from a computers Flash ROM well known, which Lenovo was later caught using to do persistant malware on it’s consumer grade laptops.

Persistence of APT Malware again is not a requirment and is caused by a misunderstanding of how an APT payload is deployed. An attacker in general first gets a toe hold of some kind and then secondly builds in other openings like a RAT. Once the RAT is in place they use it to turn the toe hold into something much more solid that will get them in at a later date should the toe hold get patched or the RAT discovered. Sophisticated attackers will dive in at a very low level such that replacing the hard drive or other I/O cards will not effect it. We know this from the behaviour of “Tweedle dee and Tweedle dum” who came down on a shoping trip to London from GCHQ Cheltenham and then on to the Guardian Newspaper Offices half a decade ago over the Ed Snowden document trove. Have a look at what was done to the motherboards in the laptops concerned you can learn a fair amount from the photos the Guardian published. Only once re-access has been assured will the actual APT Malware be downloaded. Because re-access has been asured the actuall APT Malware can be made without having the requirment to be either hard to remove or hard to find. In fact sufficiently sophisticated attackers will use other peoples APT Malware that has already been found and attributed to some other entity (we know this from US IC “false flag” code that turned up one day 😉

But realy sophisticated APT Operators will be even sneakear and it’s something people realy need to get their heads around. For years now the general security principle most frequently employed has been that of “perimiter defence”. That is FireWalls and AV software checking on inbound data.

There are two basic methods of APT attack, inside the perimeter which is observable by the target and the first point upstream of the target which generally can not be observed. For various reasons the Five-Eyes are “assumed” to do the latter and others the former. What is more likely is a mixture of both.

When you are inside a targets perimiter attacks are generally easier for various reasons. That is organisations tend not to lock down user devices as hard as they should because this tends to get in the way of productivity also patching etc tends to take time on some users devices, if at all…

Thus a sophisticated attacker will make their deep down persistence only on one or two machines which they will not put the APT Malware payload on. They will then sparingly put the APT Malware on the machines of interest. This way they reduce the likely hood not only of the APT Malware being detected they can lay down false tracks as to how it got on those machines. It also reduces the chance that their deep re-access malware will be detected.

The definition of APT is going to change again in the near future because of “Contractors”. Intelligence Organisations are neither omnipresent or omnipotent. As many know the normal operation is “case officers” in the IntOrg handle “spys” in the target nations organisations. Less well known is that “black bag jobs” are often carried out by Contractors who have specialist skills that the IntOrg lacks, this is things like getting around sophisticated alarm systems and accessing secured areas and containers (vaults and safes etc). This has advantages in that the contractor probably neither knows or cares who has actually engaged them, and likewise care not to know why they are engaged to do what they are doing. This gives both sides deniability.

Well in the modern world “every one is suspect of something” is the prevailing Political, IC and LEO view. What makes life easy for those with appropriate skills is much of the world uses mobile communications, especially second and third world countries where it might be the only communications option for ordinary people.

However such countries generally do not have people with the skills required working in their Political, IC or LEO organisations, in part due to “authoritarian follower” issues in guard labour, also in part because they would not trust such people any way.

Russia, China and even the US are known to have originally used “criminals” to do such work for a number of reasons. However larger countries with sufficient excess resources and education systems are now bringing things in house even though the skill levels are known to be lower in most cases.

This option is not generally available to second and third world nations. But such nations can usually find several million dollars to by tools, but not the skills to operate them.

This means there is a buyers market out there, which means there will be suppliers building a market to accept money in return for the skills in some form or another.

Which means we will see “contractors” appearing in greater numbers to forfill the market.

But the one thing about such a market is it will grow out of “government” espionage circles, into corporate espionage circles and down to your high end “gum shoe” operators given a little time.

Thus the usage definition of APT will change again in the minds of journalists thus others outside what will be the “profession”…

Faustus January 3, 2019 4:05 PM

@ QnJ1Y2U

My understanding came from reading Hoglunds “Rootkits”. It is an older book and usage seems to have shifted. In other words Ms. Galperin was right and I was wrong. My apologies.

I asked myself before posting if I would be posting if the speaker were a man. And I said yes. Just yesterday I was questioning George Dyson’s credentials on last Friday’s squid post.

I had earlier sat and talked with somebody about quantum healing and such and I was feeling bad for people who get misled by popularization although I didn’t say anything to this person because the quantum idea had become powerful for her beyond its literal correctness.

If I don’t question a women the way I would a man isn’t that actually disrespecting her ability to stand up for herself? I have known great women technologists, including my sister, and I think they are capable of the rough and tumble. They don’t want to be in a kid glove ghetto I’d expect.

Why should I go somewhere else? We argue about definitions all the time here. I will repeat: IN THIS CASE YOU AND MS. GALPERIN WERE RIGHT AND I WAS WRONG. I learned something. That is a success in my book.

@ Humdee and Clive

Thank you for your helpful contributions

Faustus January 3, 2019 4:28 PM

@ Humdee

“most people don’t have the NSA in their threat models”

That is an important thing to keep in mind. Reading this blog can make one despair, what I called “security nihilism”, since it is basically impossible for us to defend against the wide range of possible attacks. The saving grace is that a mere mortal like myself will probably not be subjected to most of these attacks because the loot would not justify the effort. The most powerful attacks are saved for really important targets.

Weather January 3, 2019 4:37 PM

Based on metaphysics, you replied she can’t program….
They other one ,it isn’t sexism, stop playing the victim card.
You two are probably both the same, the Ooda loop is one step ahead not three

Faustus January 3, 2019 4:58 PM

@ Weather

What do you mean?

I questioned Ms. Galperin based on her definition of a term, and I turned out to be behind the times. AND WRONG. (Why does nobody ever admit that they are wrong?) What does that have to do with metaphysics?

In what sense are I and my interlocutor the same? Now you are being metaphysical!

If you want to use buzz word de jour “Ooda” please put some context around it so I can attempt to understand you.

Faustus January 3, 2019 5:12 PM

@ QnJ1Y2U

You know, I don’t think you were playing the victim card per @ Weather. Thinking about it, I was being a belligerent grump towards both Galperin and Dyson. I deserved to be called on it. Thank you. I believe I will be more careful in the future.

Alex B January 3, 2019 5:39 PM


Sounds like you’re playing the victim card on Galperin’s behalf….

A sad attempt to be divisive for no reason whatsoever.

Weather January 3, 2019 6:12 PM

Alex B
No I don’t, as I assumed they were one and the same,

Your replied about Ai ,I thought you were doing some more research.

Faustus January 3, 2019 6:21 PM

@ Weather

Now I get it! Interesting observation! Your explanation totally clarifies.

I think neither I nor QnJ1Y2U are AIs, but I am more sure about myself. I don’t know them. I don’t recognize the handle QnJ1Y2U.

But read on…

@ Wael

Are you lurking? We have another social policy alternative, making it 5:

Predator/Prey Alternatives
– Coerce
– Kill
– Imprison

Non Predator/Prey Alternatives
– Forgive
– Apologize/Retreat – Our new entry. I think apologize is equivalent to retreat, no?

AJWM January 4, 2019 12:58 PM

@Faustos She says they are people, I say they are technology.

Technology doesn’t create or deploy itself. We’re not that far along with AI yet.

JohnnyS January 4, 2019 2:08 PM

@Clive Robinson

Thanks for the very thoughtful and informative post. Just one minor quibble:

When you say “This means there is a buyers market out there, which means there will be suppliers building a market to accept money in return for the skills in some form or another.”

I think you mean there’s a “sellers’ market”, since the buyers are many and ready to buy but the sellers are few and hard to engage. A “buyers’ market” would be a market where the buyers were rare but sellers are many, and the goods are plentiful and cheap.

Steve January 4, 2019 3:29 PM

@Bruce – Eva’s name is misspelled. Someone else pointed out as well, but wanted to increase the odds that this may catch your eye. Eva Galperin

Wael January 4, 2019 9:37 PM


Are you lurking? We have another social policy alternative, making it 5:

Always. But I need a break from active participation, too, once in a while. We’ll continue the discussion later.

bttb January 6, 2019 11:49 AM

Thanks for mentioning @evacide
Some misc. recent links from include:

The Dating Brokers: An Autopsy of Online Love

via @marasawr, The very best Russian journalism in 2018 (

Our Cellphones Aren’t Safe
Security flaws threaten our privacy and bank accounts. So why aren’t we fixing them?

On Ghost Users and Messaging Backdoors

Jim Lippard January 7, 2019 11:17 AM

Personally, I don’t think I came across “APT” until it was popularized by Mandiant (possibly prior to its APT-1 report in 2013).

This 2010 blog post by Richard Bejtlich (former Mandiant CSO/FireEye Chief Security Strategist) emphasized that “APT” refers to the adversary, not the malware used by the adversary:

I seem to recall that using APT to refer to malware, at least in marketing presentations, post-dated this usage, but I don’t know what Hoglund wrote in his (2004) book. He had an HBGary presentation ( in which he said the APT is the threat actor, but also used “APT-attacker” and “APT-malware” for clarity.

Kudos to Faustus for his correction.

Rach El January 7, 2019 1:23 PM


with your AI project you don’t sound like a ‘mere mortal’, in so far as you are not ‘interesting’. Your IP is clearly valuable and worth protecting
NSA has been revealed to be quite interested in advancing foreign policy with its skill set via leveraging economic advantage, exclusively, on occasion

gordo January 7, 2019 5:13 PM


The usage of ‘Advanced Persistent Threats’ has evolved, insofar as a given APT’s Tactics, Techniques and Procedures (TTPs) are used as cover in false-flag operations.

Anyway, some more blasts from the pasts:

The Cyber Cold War

Previously, I have written that I felt that the APT was nothing new. In fact, I still stand by this statement. Now that this report is out, and some of the facts are dribbling out about the thirty odd companies that were targeted by *cough* China, APT and BOOGA BOOGA BOOGA are on everyone’s lips and minds in the security theater.

And such theater it is!

Advanced Persistent Threat (APT)

It’s taken me a few years, but I’ve come around to this buzzword. It highlights an important characteristic of a particular sort of Internet attacker.

Clive Robinson January 7, 2019 8:43 PM

@ gordo,

I read over the blog thread you link to from back in Nov 2011.

Back then it was clear there was confusion with “actor -v- method” as the meaning for APT.

Thus from my point of view I think I will use “APT attacker(s)” and APT method(s)”… In fact I think hyphenating might be even better to show the coupling.

But also my comment from back then about the ambiguity of “advanced” and “persistent” is still as true today.

Mind you Brandrich Conner, was right about “marketing term” / “excuse” it’s still the same seven years on as is “China APT” for the war-hawks.

I guess some things don’t change, but “APT” sure will as it thrashes back and forth like a grabed hag fish eventually tying it’s self in knots to escape the mess it’s made and left behind.

Faustus January 8, 2019 7:04 AM

@ Rach El

Thank you for the implied compliment!

You are correct to some extent but I am sure criminals and terrorists and armed adversaries are higher on the the NSAs “watch” list than I am. My servers are custom and built from scratch. The NSA would have a hard time infiltrating my supply chain of individual components bought by “cut outs” in individual stores. I sit under VPNs and tall trees of non-routable addresses.

Right now my code would be hard to use well without my guidance. But I have started building up a team. Training them. They could potentially steal my IP, but I am just not that concerned. It would be nice to make some money but I am more excited about bringing jobs to a place with smart people but few opportunities. I am also excited to see my tech adopted, to see what it can do. It is already inspiring me with its alien logic.

Truly, “things are often increased by seeking to diminish them
And diminished by seeking to increase them.”
The maxims that others use in their teaching I too will use in mine.
Show me a man of violence that came to a good end,
And I will take him for my teacher.

– from Tao Te Ching 42 tr. Arthur Waley

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.