The untimely death of the advanced persistent threat?
- By William Jackson
- Apr 06, 2012
Advanced persistent threats were notable by their absence in a recent discussion of new cyberattacks.
Richard Bejtlich, chief security officer of the security firm Mandiant Corp., and RSA’s Amit Yoran, former director of the Homeland Security Department’s National Cyber Security Division, discussed critical new threats during an April 4 session at the FOSE security conference in Washington, and the familiar term “APT” never came up. They talked about innovative attacks designed to circumvent traditional IT security tools and about long-term campaigns against targeted systems. And they concluded that compromise is inevitable for any organization that has been targeted by a focused adversary.
It certainly sounded as if they were talking about advanced persistent threats, but the term seems to have fallen into disfavor with security professionals as an overhyped buzzword.
:FISMA guide updated to reflect APT, mobile threatsAdvanced threats: The enemy is already within
That is a shame, because although it has been overused and misunderstood, it is a useful descriptive term for some of the more sophisticated attacks in today’s threat landscape.
This is not a particularly recent development. In a company blog post
from March 2011, Mandiant described APT as a “loaded term." “Over the last year, many marketing and sales folks have tried to own the threat, promising nonexistent silver bullets, the holy grail and even ponies,” the post reads in part. “All of the hype has created a spectrum that ranges from ignorance to apathy.”
What, exactly, is an advanced persistent threat? Mandiant in its corporate literature describes it as “a sophisticated and organized cyberattack to access and steal information from compromised computers.”
Maybe the closest thing to an “official” definition comes from the National Institute of Standards and Technology, which is updating its FISMA guidelines
on security and privacy controls to include APTs. In its glossary, the term applies not to the attack but to the attacker: “An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception).”
These objectives typically include establishing footholds within the IT infrastructure of the targeted organizations in order to steal information, undermine a mission, or to position itself to carry out future exploits, the glossary says.
APT has fallen into disfavor largely because it has become shorthand for a nonexistent type of undetectable super exploit using a zero-day vulnerability to autonomously penetrate the most secret recesses of an enterprise.
In reality it is a descriptive term for a broad effort to compromise a system. One of its most important attributes is the use of multiple vectors cited by NIST. An APT might be sophisticated in its concept, execution or goal, but its parts are likely to be mundane. Attackers will use any workable means to deliver their payload, including the most routine Trojans, viruses or other malware exploiting well-known vulnerabilities. They will use social engineering and phishing. If the mundane does not work, they might up the game with more exotic exploits.
Ultimately, in order to be persistent the threat will have to be sophisticated enough to hide itself after it has been delivered. But once it is inside the target, this is not necessarily a difficult job. Most security resources are outward looking, not inward.
Ultimately, it is the result that identifies the advanced persistent threat. If it has made its way past your defenses to hide in your system, it is an APT. Whatever it is called it should not be despised because you should have known better and been able to stop it.
William Jackson is freelance writer and the author of the CyberEye blog.