APT: What It Is and What It’s Not

Friday, February 10, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

What APT is as defined by DoD:

Advanced – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include computer intrusion technologies and techniques, but also extend to conventional intelligence-gathering techniques such as telephone-interception technologies and satellite imaging and HUMINT capabilities. While individual components of the attack may not be classed as particularly “advanced” (e.g. malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from “less advanced” threats.

Nation State or Exceedingly Coherent and Supported Actors: APT usually means that they are Nation State actors (i.e. spies/proxies for nations seeking to infiltrate and steal data or to manipulate data/supply chains etc) This can also be non nation state actors hired by corporations or even in some cases, movements or groups who have hired out for specific operational goals.

Persistent – Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully. One of the operator’s goals is to maintain long-term access to the target, in contrast to threats who only need access to execute a specific task.

Threat – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized and well funded.

Above from Wikipedia with changes by me.

I had a conversation on Twitter today that surprised me. The talk was about APT and what it really “meant” as well as how one determines if it is indeed APT that you are dealing with.

First off, I was taken aback somewhat at the confusion by some in the security field, but then I thought about it and many have not come from the DoD space or perhaps corporate areas that have had direct exposure to APT activities. Secondly, I was amazed and the varying focal points people focused on as the “meaning” of APT.

So, I decided to put this little post together and put it out there.

Yeah... I know... It’s been said a zillion times huh? So, why are people still confused? Well, there are some operational details that are not really in the public space so there is that, and the DoD tend to like to make all kinds of silly acronyms…

But it basically boils down to what you see above here. The definition came from Wikipedia (I know some are rolling their eyes now! Tough!) I have edited the entry with other information that was not there before and highlighted the important bits with italics and color.

Once you have read the above again… Move on to what APT is not below…

Go on… Re read the above please…

What APT Has Become In The Media and Marketing Maelstrom of Stupid

APT, the bugaboo sales buzzword that has been a wet dream for marketers of all kinds of software and appliances in security these past few years. The short and sweet of here is that APT is not the following:

  1. Phishing attacks
  2. Anonymous
  3. Common hackers looking for credit cards
  4. Your average pimple faced hacker (going with the media perception) in their mom’s basement with a commodore 64
  5. The Chinese
  6. A technical ghost in the machine that cannot be caught unless you buy my product!
  7. Able to be caught with just a SIEM solution that I am offering to you for (insert number here)

APT was in fact the acronym for state actors like China (who happen to be really really active low these last 5 years or more) and Russia or Israel of France, who were hacking and using a full range of intelligence techniques to not only steal data but to interfere with supply chains or otherwise manipulate corporations and other nation states to their own ends.

THAT is APT.

Of course the acronym has jumped the shark as it is now a buzzword, but, the DoD types still use it as a moniker for the actors that they and others within the space see every day attempting to ex-filtrate data, mess with command and control, and otherwise (mostly silently) mess with us all. They use numerous tactics that interlock and have many teams working toward multiple goals and multiple levels of attack and operational security.

They can use the most elegant of solutions and nimbly change their tactics, they can, on the fly create/edit code to defeat the defenders tactics, and they also use the most simplistic of attacks all in the effort to gain the access they require and to not only further it but to KEEP it as long as possible to succeed in their own ends.

There you have it. It’s not a binary.. It’s a layered approach to espionage and information warfare (IW).

…And your not going to stop them with something like Symantec’s SEP solution..

Thus endeth the lecture.  

K.  

Cross-posted from Krypt3ia

Possibly Related Articles:
9478
Network->General
Information Security
Methodologies DoD APT SIEM Attacks Advanced Persistent Threats Network Security hackers IDS/IPS Scot Terban Exfiltration Information Warfare HUMINT Krypt3ia Cyber Espionage
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.