APT is Real Enough

21 November 2011

Advanced Persistent Threat (APT) is a term coined by several individuals in the information security community and championed by Rich Bejtlich (http://taosecurity.blogspot.com) and Mandiant Corporation (http://www.mandiant.com). There has been a lot of criticism of the term, and it's general application to connote state sponsored attackers. In the past I have been generally skeptical of the APT concept, but I'm beginning to change my mind on the matter.

One of the chief reasons for my reconsidering the validity of APT is an observation that believing something doesn't make it true, but at a certain point a preponderance of adherents to a concept forces it into the spectrum of reality. That is to say, if enough people believe in APT then that doesn't necessarily make APT real, but it does make APT a real part of the information security landscape, if only as a funding driver. The early proponents of APT can easily been viewed as stalking horses by the cynical, but my attendance at the recent Convergent Risk Symposium (http://www.convergentrisk.org/) and the publication of the 2011 report to Congress by the Office of the National Counterintelligence Executive (http://www.ncix.gov/publications/reports/fecie_all/index.html) demonstrated that the US government is clearly invested in the concept of APT and cybersecurity. Reports by major anti-virus vendors certainly lend credence to the topic, although their financial motivation makes their objectivity somewhat suspect.

Ultimately the US government is investing heavily in the concept of cybersecurity and is comfortable fingering foreign intelligence services (FIS) as culpable in internet based intrusions. It logically follows that foreign organizations charged with spying on the US would utilize online capabilities as a cheap and efficient means of intelligence gathering. Furthermore the emergence of advanced malware like Stuxnet and Duqu points to extremely advanced capabilities amongst players in the online security space.

Once point I like to make when training new information security practitioners is that they should never make assumptions about attacker motivations. Ultimately attacker motives are unknowable, and so it is pointless to guess at them. Many home users make the mistake of assuming that they won't be targeted by adversaries because there is nothing valuable on their machines, failing to understand that the machine itself and its bandwidth have value. Assuming that your organization isn't being targeted by FIS invokes the same fallacy of value assumption and motive assertion. No one can reasonably assert that their organization isn't the target of FIS intrusion and data exfiltration.

Given the reality (or at least unprovable disinterest) of FIS adversaries and the open assertions of so many industry and government heavyweights that APT is real it is becoming increasingly difficult to dismiss such threats. Of course, no organization has the resources to combat a FIS, and the US government has yet to devise a credible defense against such a threat. Sadly, industry leads government in innovation and technology, which is the edge that government needs in order to combat APT. The accusation leveled by the Office of the National Conterintelligence Executive that Chinese and Russian intelligence services use independent hackers to carry out attacks to avoid attribution lends credence to the idea that the private sector will end up leading this battle.

As this threat landscape evolves and becomes ever more dangerous it is increasingly important for organizations to develop comprehensive information security programs. Establishing a security lifecycle, providing security training, and developing a security maturity road map for future growth are all essential. Developing and maintaining close ties to industry and government, particularly law enforcement, are also likely critical aspects of organizational security programs moving forward. Although most of us don't have a handle on APT or FIS threats, it will become important to have strong collaborative relationships with government entities and across industry in order to develop meaningful remediation to such threats over time.