Advanced Persistent Threats Get More Respect

When it comes to combating APTs, the odds are against your organization's security team, say security experts such as Bruce Schneier. This type of risk deserves special scrutiny.

Mathew J. Schwartz, Contributor

February 9, 2012

5 Min Read

Is the term APT--for "advanced persistent threat"--anything more than a buzzword?

Typically, such attacks eschew technical sophistication for careful reconnaissance and taking a low-and-slow approach that's difficult to detect, but which has a high likelihood of success. Attackers only need to trick a single employee into opening a piece of malware that exploits a zero-day vulnerability, thus giving them access to not just the employee's PC, but potentially the entire corporate network.

Many people have railed against the term "advanced persistent threat" because it seems to have become a go-to excuse for any hacked business. Furthermore, such attacks don't look advanced at all, but rather just persistent. But actually, the APT term has been around since 2006, when it was coined by the Air Force "to describe specific types of adversaries, exploits, and targets used for explicit strategic intelligence gathering goals," according to a report from Enterprise Strategy Group (ESG). Since then, however, the term has been co-opted by the security industry, and regardless of whether such attacks seem advanced or not, they can be startling effective, as breaches of everyone from RSA to Citibank demonstrate.

[ Learn more about who is launching most APTs; see 12 Groups Carry Out Most APT Attacks. ]

As a result, the APT term is now getting more respect from security experts. "It's taken me a few years, but I've come around to this buzzword. It highlights an important characteristic of a particular sort of Internet attacker," said Bruce Schneier, chief security technology officer of BT, in a blog post. Traditionally, he said, as long as your business' security was relatively better than most other businesses' security, attackers--in their search for credit card numbers or customer data--would opt for the easy target. But with an APT, attackers have already selected your organization for attack, meaning that your information security program needs to be extremely good to stop any related attack attempts from succeeding.

Unfortunately, the odds will be against you. Compared with traditional attackers, "APT attackers are more highly motivated," said Schneier. "They're likely to be better skilled, better funded, and more patient. They're likely to try several different avenues of attack. And they're much more likely to succeed."

Have IT and security managers caught on to this threat? To find out, Enterprise Strategy Group asked IT professionals whether "APT" was descriptive, or if it had become debased by marketing hype and overuse. To find out, the analyst firm actually read the definition of an APT--as defined by the National Institute of Standards and Technologies--to survey respondents.

That definition, which runs to 123 words, highlights how such attacks are perpetrated by "an adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors," including not just online attacks but also physical attacks, as well as deception or social engineering attacks. The definition also emphasizes that such attacks may persist indefinitely, with attackers often modifying them over time as defenders attempt to block them.

How did respondents to the ESG study, released in November 2011, classify the APT threat facing their business? "The data suggest that a lot of U.S. companies are being attacked," said Jon Oltsik, ESG senior principal analyst, in an interview at the time. "We can definitively say that APT is not a marketing term, people are concerned they're being attacked, and they're not really prepared."

"The difficult thing about APTs is that they exploit employee knowledge gaps, process weaknesses, and technology vulnerabilities in random combinations," he said. "Patient, well-resourced, and highly skilled adversaries take their time to figure out where we are most vulnerable and then use this knowledge as a weapon against us. You could do 99 things right, and the bad guys will find and leverage the one thing you do wrong."

That's led security experts to seek better ways to help organizations block such attacks. Notably, a security consortium filled with representatives from businesses as well as government agencies, and hosted by RSA--which has been working aggressively to rehabilitate its image after the SecurID-breach fallout--found that the number-one APT attack vector is employees. That's not meant to trigger a "blame the employee" game, but rather to highlight how targeted spear-phishing and other forms of social engineering attacks--even phone calls--are difficult to repel, all of the time.

Predictably, organizations that are well-prepared to stop APTs keep training employees proactively, according to Oltsik's research. But they go further, and in fact can adopt security postures that look relatively paranoid, he said. Notably, they spend more money on information security and keep a close eye on emerging threats. They also take the time to identify their most valuable assets--typically data--and devote more resources to keeping them secure, in part by limiting access. Finally, acknowledging that breaches are inevitable, they "invest in people, process, and technology for incident response and regularly measure their performance," he said.

Accordingly, when it comes to better stopping an APT, the message is clear: start getting a little paranoid.

Heightened concern that users could inadvertently expose or leak--or purposely steal--an organization's sensitive data has spurred debate over the proper technology and training to protect the crown jewels. An Insider Threat Reality Check, a special retrospective of recent news coverage, takes a look at how organizations are handling the threat--and what users are really up to. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights