Breaking Down the Advanced Persistent Threat

Sometime when I wasn’t paying attention, a bunch of marketing folds must have gotten together to come up with a new, catchy acronym. I imagine the meeting must have gone something like this:

Joe: We’re not selling enough of our <insert product here>. We need a way to really connect with people.

Linda: The problem is branding. Cross-site Request Forgery doesn’t really roll off the tongue too well.

Bill: Hmm… Advanced.. Problem.. Fixer..

Tom: That’s a good start. How about Advanced Persistent.. Software..?

Joe: Wait for it… Advanced Persistent Threat!

All in unison: Awesome! Let’s go for drinks.

OK, so maybe it didn’t go down exactly that way, but it’s fun to imagine.

So, what exactly is an Advanced Persistent Threat, or APT? According to Wikipedia, APT attacks utilize traditional attack vectors such as malware and social engineering, but also extend to advanced attacks such as satellite imaging. It’s a low-and-slow attack, designed to go undetected.  Finally, there is a specific objective behind it, rather than the incoherent activity of some fifteen-year-old hacking away in a basement for brownie points with his buddies.

It’s not just vendors getting in on the game–companies are increasingly blaming their security failures on APT, as if it was far too sophisticated for them to possibly defend against.

There’s no doubt that such attacks exist. Corporate espionage and nation-state attacks are very real and, in some cases, extremely sophisticated. But these attacks are very rare. The truth is that the vast majority of attacks are not very advanced because they don’t need to be. It is extremely difficult to defend against all known attack vectors. The defenders have to get everything right, all of the time. The attackers only have to find one or a few small holes to work their way in. That’s just the current state of information security.

I think we should generally avoid using the term Advanced Persistent Threat. There are two main reasons I feel this way.

  1. It’s highly likely that it’s not an APT at all. Even if you have a great security program with the smartest security people in the world, a company of any appreciable size is going to have hundreds of ways in. You can have everything patched and the front-desk lady will give up her password. You can require two-factor authentication for all remote access until the smart phones come along. You can have great perimeter security until your business partner gets compromised, and you realize that your perimeter really doesn’t begin and end at the firewall. Face it, your company is insecure on its best day.
  2. Using terms such as APT, while sexy, encourage us to gloss over the actual facts. Just as intellectual property is a way of lumping together things like copyright and trademark, APT discussions keep us from focusing on which attacks were actually used and how our defenses failed. There is no APT attack. There are SQL injection attacks. There are social engineering attacks. There are buffer overflows in software. There are default passwords left on systems. There are insecure trust relationships. APT is a dangerous umbrella term.

Even those few who do face what people call APT attacks need to break them down into their core elements in order to understand and defend against them. For the rest of us, let’s go back to discussing how our security design failures could lead to a compromise. And if one should occur, let’s speak to the specifics of the attacks so we can learn our lesson, even if a little humility is in order.

Tagged with:
4 comments on “Breaking Down the Advanced Persistent Threat
  1. Kfox says:

    Actually I’m fairly certain the term originated within the DoD, not marketing folds. Also the “advanced” part of ATP doesn’t necessarily mean advanced methods of attack, but is more related to the advanced methods of selecting, exploiting and then tracking the various compromised hosts and their functions within the target organization. The reason it is “advanced” is because it would take the resources of a large corporation (if not a nation state) in order to perpetrate the scale and spectrum of attacks that are classified as APT’s.

    Finally, if people are categorizing single, one-off attacks as APT’s (as you are implying RSA is), then I agree your point that it is become a dangerous generalization.

  2. Hello Kfox,

    Thanks for stopping by and commenting. And thanks for the clarification of the origin of the term. Governments love acronyms, so that makes a lot of sense. But it is more fun to poke fun at marketing folks. :)

    I hope you would agree that even advanced attacks are still compromised of their fundamental elements, and those haven’t necessarily changed. So the advanced attacks can still be understood in the context of failures in basic security and we can protect against them using the same security engineering principles. It doesn’t take “ATP-aware” software or processes.

    I also don’t think that an attack which is not a single, one-off attack is necessarily ATP, or vice-versa. Even if the attack on RSA was so sophisticated that there was a corporate or government sponsor behind it, that doesn’t change the fact that calling it ATP separates us from truly understanding how it all came together and how the defenses failed.

  3. Kfox says:

    @Michael Starks
    Absolutely agree with you on both points. I was simply trying to help spread understanding of what exactly ATP is and is not, the later of which you summarized quite nicely in your response.

  4. ddpbsd says:

    I agree that we need to be more aware of what is happening on our networks, and how our defenses fail. Whether the perpetrators are APT or not does not affect those points.
    The marketing folk stole the term and corrupted it. Advanced Persistent Threats are people or groups of people, not types of attacks.
    If the people that hacked RSA were really APT, then calling them APT won’t cause any confusion to the people that know what/who APT is.

1 Pings/Trackbacks for "Breaking Down the Advanced Persistent Threat"
  1. […] blogged about the recent breach that they experienced. Shortly after they announced the attack, I also blogged about the tendency to call attacks APTs. I fear that describing an attack as an APT is simply another way of failing to take […]

Leave a Reply

Your email address will not be published. Required fields are marked *