What is an 'Advanced Persistent Threat,' anyway?

Hint: 'Advanced Persistent Threat' muscling into security lexicon

"Beware the Advanced Persistent Threat"! is the security vendor mantra of the moment. But really, what is an APT? Depends who you ask ...

"Beware the Advanced Persistent Threat"! is the security vendor mantra of the moment. But really, what is an APT? Depends who you ask ...

Some claim the term "Advanced Persistent Threat" originated somewhere in the Defense Department (DoD) and its contractors that face continual cyberattack espionage assaults. 

"I think it was the Air Force," says NetWitness chief security officer Eddie Schwartz. "It's persistence of the adversary and the variety of techniques they're using, like malware or social engineering, against a nation's significant economic interests." 

The security industry started bandying about the term APT more frequently after Google just over a year ago disclosed it had been a victim of network-based intellectual-property theft that originated in China.

But as IT security vendors take up APT, it turns out not everyone uses it the same way.

"What's Advanced Persistent Threat? Depends who you ask," says Greg Hoglund, CEO at HBGary, who says the "Air Force and DoD latched onto it" as a nice way to not have to keep saying "Chinese state-sponsored threat." He says we should "stop pretending it's not that."

To Hoglund, APT is just a new phrase to describe malware that took advantage of sometimes simple weaknesses in networks that the targeted, victimized organization spent millions of dollars investing in technology. APT is a wishy-washy expression, he says, because the threat usually "is not 'advanced.'" The attacks are generally routine ones against known vulnerabilities that could probably be stopped just by doing a better job of patching. "Russia, with their crimeware, is way more advanced," he adds.

APT is "the Chinese government's state-sponsored espionage that's been going on for 20 years," says Hoglund. "Let's just call it, 'Everything that matters to the state of China's global expansion.'"

Other security experts have their own definitions of APT.

APT did become increasingly used after the attack on Google, says Gerry Egan, Symantec director of product management. In his opinion, APT means an attack targeted at an organization to steal data, especially intellectual property. "It's stealthy, not a slash-and-burn," he says. And it is persistent, not a one-time event, lasting a protracted period of time. But he disagrees that it's a term that should necessarily imply a state-sponsored act. "It could any organization that does this," he says.

McAfee has been among the security firms adopting the term APT. But according to the definition spelled out in McAfee's recent "2011 Threat Predictions" report, APT covers a lot of bases. "Not all APT attacks are highly advanced and sophisticated, just as not every highly complex and well-executed targeted attack is an APT," the report explains. "The motive of the adversary, not the level of sophistication or impact, is the primary differentiator of an APT attack from a cybercriminal or hactivist one."

McAfee subscribes to the idea of APT as a "targeted cyberespionage or cybersabotage attack that is carried out under the sponsorship or direction of a nation-state for something other than a pure financial/criminal reason or political protest."

McAfee concludes, "Companies of all sizes that have any involvement in national security or major global economic activities" should expect "to come under pervasive and continuous APT attacks that go after archives, document stores, intellectual property repositories, and other databases."

"What makes an attack an APT is that the group behind the attack is sponsored or directed by a nation-state and thus has got completely different goals from the average cyber criminal," says Toralv Dirro, McAfee security strategist for McAfee Labs.

Definitions of APT

The motivation he says, is to get intelligence for military, political or economic advantage. He says a recent trend is to "take advantage of the increasing use of social networking sites within companies, not only as a way to gather data used for spear-phishing but also as a way to distribute malware to its intended victim.

He adds that he thinks a recent APT case was the fake White House e-mail Christmas postcard that lured government victims to download a version of ZeuS. "While ZeuS is usually used by criminals to steal banking information, this version instead downloaded another program designed to steal documents."

He adds: "Technologies like data-loss prevention, network and user behavior analysis and application control are becoming more and more mature and can help build a very secure network."

Marc Maiffret, chief technology officer at eEye Digital Security, says he's not inclined to use the phrase APT. "I try to say what I mean instead of using phrases," he notes. APT is "more popular among runaway marketing departments. The new scary thing to say is APT."

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022