The Public Eye with Eric Chabrow

Advanced Persistent Threat Definition Evolves

Defining APT Proves to Be Easier Than Defending Against It

The definition of advanced persistent threat, or APT, is evolving.

Here's how the National Institute of Standards and Technology defines APT:

"An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders' efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives."

In the just-issued IBM X-Force 2010 Trend and Risk Report, Big Blue says APT became part of the everyday IT security lexicon after the disclosure in January 2010 of Operation Aurora (see Did Study Foresee Google Attack?), a series of attacks in 2009 aimed at stealing information from Google and other companies.

Before 2010, APT generally described a series of campaigns designed to systematically compromise systems and networks. "Essentially," the X-Force report says, "similarities across attacks were recognized, leading to the ability to classify attacks into a particular category. The term APT was given to this category and was associated with a specific adversary that was believed to have a mission for the exploitation of cyberdefense systems for the purposes of economic, political or military gain."

After the revelation of Operation Aurora, IBM says, the term began to take on a different meaning. "In essence," the X-Force report says, "APT became associated with any targeted, sophisticated or complex attack regardless of the attacker, motive, origin or method of operation."

The attention given to APT raised awareness as well as sparked debate over APT, resulting in confusion and conflicting view, IBM says, adding: "In fact, some views suggest that APT was a manufactured term for purposes of marketing security services while other views point out the specific nuances that define APT for them. While multiple viewpoints exist, it is important to note that this type of threat is a legitimate issue for certain organizations."

Security maker RSA, a victim of a sophisticated attack revealed March 17 that targeted its SecurID two-factor authentication product, characterized the assault as an APT (see RSA Says Hackers Take Aim At Its SecurID Products). Weeks before the attack, RSA Chief Technology Officer Bret Hartman discussed the difficulty defending against APT (see Tracking Bad Guys Who Enter IT Systems):

"It is so insidious because the malware that makes it through into your system, whether that is sitting on let's say your laptop or on a server, very difficult to detect and the actual exploitation of that malware may not take place for a long time, if ever. It becomes challenging. It is not like something that just blasts through the front door and deletes your hard drive or attempts to. It is very, very pernicious and very narrowly focused."

In defining APTs, Dmitri Alperovitch, threat research vice president at McAfee Labs (McAfee was the first to identify Operation Aurora), says they're not always sophisticated, but as the name suggests, they're persistent (see Persistence: Trait Giving Infosec Leaders a Headache). "Once they pick a target they are relentless in going after that target. Whereas the cybercriminals will typically move on to a target that is much less secure, APTs will continue to attack and will spend months if not years trying to penetrate an organization that is of interest to them until they succeed."

Defining APTs is proving to be much easier than defending against them.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.