APT: Useful or Buzzword?

Advanced Persistent Threats have been around for some years, and they are not going away

The term Advanced Persistent Threat (APT) is often regarded somewhat suspiciously by security professionals, seeing as it how it can be a buzzword that obscures actual analysis of the dynamics of cyber attacks or a diplomatic fiction because it’s not polite to openly accuse the Chinese and Russians of stealing from us. But recently, I’ve seen some analysis that points to some use for the concept.

Matthew J. Schwartz has an interesting column in Information Week where he lays out the pros and cons of the APT concept:

“As long as your business’ security was relatively better than most other businesses’ security, attackers–in their search for credit card numbers or customer data–would opt for the easy target. But with an APT, attackers have already selected your organization for attack, meaning that your information security program needs to be extremely good to stop any related attack attempts from succeeding.”

Is the term overused? Yes, Schwartz points out. But there is a qualitative difference emerging between attackers who are taking a path of least resistance and those using sophisticated attack techniques to enter the systems of targeted organizations. Moreover, while non-APTs use cruder methods to probe for weak points, APTs use social engineering and use either direct intelligence techniques (or civilian analogues) to directly target vulnerable employees and organizational knowledge gaps. As much as APTs are a marketing term, they are indeed more advanced than the average spammer (although perhaps the spammer is just as persistent) and certainly pose a threat.

This is not to say that APTs are shadowy figures using voodoo spells to trick employees or plying computer engineers with beautiful women out of a Bond movie. In a previous column on the RSA hack, Schwartz delves into precisely just how simple it can be to “hack the human:”

In the case of the breach of RSA, for example, attackers socially engineered using a relatively unsophisticated technique: they sent an email with the subject line “2011 Recruitment Plan” to two small groups of RSA employees. One of the employees retrieved the email from their junk mailbox and opened the spreadsheet, which was really a piece of malware designed to provide the attacker with a direct connection into RSA’s network. From there, the attacker was able to harvest the user’s credentials and ultimately access sensitive information relating to RSA’s two-factor SecurID system.

There’s no hard-and-fast solution, and to some extent even the most paranoid security policies are not going to deal with three cardinal facts: employees make mistakes, adversaries are intelligent and persistent, and most information systems are constructed with ease of use rather than security in mind. That’s why recognizing the APT also should mean, as Alex Olesker has often said, assuming that breaches will occur and focusing on how to mitigate the consequences.