Guest editorial by Matthew Olney
There is no more predictable group of people than marketers. Once a term reaches a certain tipping point, they grab onto it for dear life and choke it until it means nothing. Apparently, the Advanced Persistent Threat (APT) hit that point somewhere around December. Despite the term being used by the defense industrial base for years, it wasn’t until this year that firms really started pounding the “Come to us my children, only we can save you from death by APT” drum.
This isn’t to say that APT isn’t real; we’ll get to that in a moment. But it dilutes and distorts the term, changing it from a euphemism for a certain group of attackers who display an uncharacteristic amount of backing, talent and motivation to a “thing” that CEOs have heard of and are now looking for the “Firewall blocks APT” checkbox. This is a disservice to those who face APT-level threats and also moves it into the “whatever” category for a lot of operational folks.
First, what is APT? I’ve been told, if I remember correctly, that initially the term was used to describe specific groups associated with nation-states that aggressively and successfully penetrated critical infrastructure networks and established well developed, multi-level footholds in those networks. But now it increasingly means “bad thing from the Internet”.
[ SEE: Microsoft says Google was hacked with IE zero-day ]
The co-opting of APT by the marketing folks have led to the point that people are classifying any malware, rootkit or bot as “APT”. Zeus is not APT, Aurora is not APT. APT is a level of threat, a description of the sophistication, patience and talent behind an attack. The attacks are targeted, typically involving both an exploit and social engineering. Emails containing PDF exploits don’t get spammed to everyone in the organization, they are sent to key individuals with convincing messages. Bots aren’t your commercial, off-the-shelf variety. They are custom built, hard to detect and typically have multiple instances and functions so an initial remediation sweep will appear successful but miss the deeper, quieter processes.
The attackers monitor the state and success of their attacks and channels. As one channel goes down, they activate another. If a node containing valuable data is cleaned, they’ll reinfect it from another computer. They know what they are doing.
Or, to use my own, barbaric way of describing things:
“APT: There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that.”
