Skip Links

What is an 'Advanced Persistent Threat,' anyway?

Hint: 'Advanced Persistent Threat' muscling into security lexicon

By , Network World
February 01, 2011 06:02 AM ET

Network World - "Beware the Advanced Persistent Threat"! is the security vendor mantra of the moment. But really, what is an APT? Depends who you ask ...

Some claim the term "Advanced Persistent Threat" originated somewhere in the Defense Department (DoD) and its contractors that face continual cyberattack espionage assaults. 

"I think it was the Air Force," says NetWitness chief security officer Eddie Schwartz. "It's persistence of the adversary and the variety of techniques they're using, like malware or social engineering, against a nation's significant economic interests." 

The security industry started bandying about the term APT more frequently after Google just over a year ago disclosed it had been a victim of network-based intellectual-property theft that originated in China.

But as IT security vendors take up APT, it turns out not everyone uses it the same way.

"What's Advanced Persistent Threat? Depends who you ask," says Greg Hoglund, CEO at HBGary, who says the "Air Force and DoD latched onto it" as a nice way to not have to keep saying "Chinese state-sponsored threat." He says we should "stop pretending it's not that."

To Hoglund, APT is just a new phrase to describe malware that took advantage of sometimes simple weaknesses in networks that the targeted, victimized organization spent millions of dollars investing in technology. APT is a wishy-washy expression, he says, because the threat usually "is not 'advanced.'" The attacks are generally routine ones against known vulnerabilities that could probably be stopped just by doing a better job of patching. "Russia, with their crimeware, is way more advanced," he adds.

APT is "the Chinese government's state-sponsored espionage that's been going on for 20 years," says Hoglund. "Let's just call it, 'Everything that matters to the state of China's global expansion.'"

Other security experts have their own definitions of APT.

APT did become increasingly used after the attack on Google, says Gerry Egan, Symantec director of product management. In his opinion, APT means an attack targeted at an organization to steal data, especially intellectual property. "It's stealthy, not a slash-and-burn," he says. And it is persistent, not a one-time event, lasting a protracted period of time. But he disagrees that it's a term that should necessarily imply a state-sponsored act. "It could any organization that does this," he says.

McAfee has been among the security firms adopting the term APT. But according to the definition spelled out in McAfee's recent "2011 Threat Predictions" report, APT covers a lot of bases. "Not all APT attacks are highly advanced and sophisticated, just as not every highly complex and well-executed targeted attack is an APT," the report explains. "The motive of the adversary, not the level of sophistication or impact, is the primary differentiator of an APT attack from a cybercriminal or hactivist one."

McAfee subscribes to the idea of APT as a "targeted cyberespionage or cybersabotage attack that is carried out under the sponsorship or direction of a nation-state for something other than a pure financial/criminal reason or political protest."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News