APT – new threat or just a new name? And just what does it mean?

The term Advanced Persistent Threat (APT) has become the de facto term for criminals, organisations and governments spending considerable time, effort and expertise attempting to gain access to another organisations data.

Now this is clearly not a new phenomenon as people with the resources to do so have always put time into getting the information they want using technical and non-technical techniques including;

– Dumpster diving

– Social engineering (over the phone, and in person on site)

– Viruses / Trojans / Worms delivered via email / usb / floppy disk / CD etc.

– Phishing / spear-phishing (or what ever targeted emails / mails used to be called)

etc. etc.

The question is, has this problem suddenly become much larger and more of a concern, or is the new name and much of the news there to create fear and market security tools / services?

I am completely in favour of people having a common language, so giving a simple and agreed term to “criminals, organisations and governments spending considerable time, effort and expertise attempting to gain access to another organisations data.” is definitely a good thing.  However this needs to be used with caution, so that the accusation of spreading unnecessary fear and uncertainty cannot be levied against the security industry.

For example how many of the attacks that are reported to have been launched from China by the Chinese government were actually launched from botnets in China enabled by the fact that users in the country have amongst the highest levels of unpatched machines in the world?  I don’t know the answer but while reading for this article I found conflicting thoughts and statements on this topic.

There is clearly a need for clarity and openness, everyone in the security industry, and increasingly people not in the industry, are aware that there are many risks out there especially to machines without AV, and not kept patched up to date.  The risk does however need to be fairly and realistically reported.

If a company is compromised, it is currently much less damaging to report it as an APT attack rather than owning up to some unpatched machines or a misconfigured firewall, or someone clicking on a phishing mail while logged in with administrative privileges etc.

Equally though when there is clear evidence of APT, this should be clearly reported, especially if in doing so the techniques used can be revealed to help protect other potential victims.  Should government agents be clearly implicated, this should be reported as governments are supposed to be beholden to international laws and not behave in a criminal manner.  I guess the same could and should be said of individuals and criminal organisations!

In short, clearly agreed universal terminology is a good thing to aid understanding and communication even if it is not describing something new, but clear and open reporting of threats is key if people are to make informed and correct decisions about the real risks and how much time and expense should go into mitigating them vs. other threats and business needs.

Future posts will cover exactly what APT is in more detail, and also ask is the cloud something new?

Advertisements

Author: Kevin Fielder

Innovative and dynamic security professional, with a passion for driving change by successfully engaging with all levels of the business. I am a determined individual with proven ability to provide security insights to the business, in their language. These insights have gained board buy in for delivering security strategy aligned to key business goals. This is achieved by understanding the need to drive change through people, process and technology, rather than focusing exclusively on any one area. I take pride in being a highly articulate, motivational and persuasive team-builder. I have a strategic outlook with the ability to engage with and communicate innovative and effective security solutions to all levels of management. Along with a proven ability to translate security into business language and articulate the business benefits I am also passionate about leading security innovations and making security a key part of the business proposition to its customers. Security should be made a key differentiator to drive sales and customer retention, not just a cost centre! Outside of work I am a proud husband and father to an awesome family, and a passionate CrossFit coach and athlete.

2 thoughts on “APT – new threat or just a new name? And just what does it mean?”

  1. Most of these names/terms are just buzz words to make people (thoses people who have not been in the industry for long) sound like they have discovered something new.
    Cloud computing, I have been using cloud computing for 10 years (hotmail,youtube), new name, same old service. The name cloud came out of the visio network diagrams where we would put a cloud icon for the Internet, showed some marketing people and the idea was sold.
    Web 2.0, give a break.
    Crowdsourcing and its mis-use. With lots of clueless people all agreeing on the wrong solution.
    Also using terms like N+1 to make it sound like you have considers reducancy, hahaha.
    APT has been around for well over a year now and in some cases it is correct but most not.
    RSA, The Sun hack, all were APT as a lot of work was done probing the networks for weeks before the attack. But many SQL injections are just found out by a google search.
    The current trend to DDoS a site would not be classed as an APT

    All these terms I use to make a client think I am a expert in my field, I just use them to make my company sound hip and in with the current trends so that I sell more services to clueless people.

    Keep the buzz words and fool the clueless.

    John

    1. Thanks John, very similar to my thinking.. I was actually planning on a similar post around cloud computing, as you say we have all been using various ‘cloud’ type services for years. Also, to me at least, while the infrastructure is different – commodity servers and storage vs. large specialised main frame type servers, cloud computing is hardly a new paradigm.

      I guess one benefit is that while the terms may not be new and may often get misused to sell FUD or protect reputations, anything that may be raising the general non IT security populations awareness of the need for security and to be careful with your data cannot be all bad..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s