Part 1: Should we stop using the term Advanced Persistent Threat?
You probably have an idea in your head of what the term “Advanced Persistent Threat” means. Unfortunately, whatever it is that you think the word means, there are probably other people reading this post who think it means something else. It is hard to have a dialog about the subject when we aren’t speaking the same language.
Some people think the word Advanced Persistent Threat refers to a type of attack against a computer network, and other people think it refers to a group of attackers.
Those in the former category have a rigid set of criteria in mind for what kind of attack merits being called an “Advanced Persistent Threat.” The attack must be advanced, meaning that it must involve the use novel techniques to obtain access and avoid discovery. The attack must also be persistent over a long period of time, meaning that a quick break-in targeting a specific piece of information doesn’t qualify. However, according to people in this camp, anyone can launch an Advanced Persistent Threat for any reason, as long as they have the skill required. Organized Crime, Hacktivists, and Nation States all qualify.
People in the later category view the term “Advanced Persistent Threat” as referring to a specific group of people who break into computer networks with the support of their national government for the purpose of collecting intelligence. People in this category have a rigid view of who the APT is and what their objectives are. However, according to people in this camp, the APT can launch any kind of attack that it wants to. The APT has the capability to launch technically novel or sophisticated attacks, but sometimes they choose not to, in order to avoid revealing valuable capabilities. The APT has the capability to persist for long periods of time within a computer network if they need to, but sometimes they don’t have a long term need for the intelligence on offer in a particular network.
These two views of the term APT can be difficult to reconcile. People in the former camp will say things like “Your organization faces APTs from organized criminal groups.” That sentence is absolute gobbledygook to people in the later camp. At the same time, people in the later camp will look at a particular breach, and based on the targeted organizations and operational sophistication, they’ll declare that the attacker was APT. People in the former camp have been known to argue with these assertions if the attack in question isn’t sufficiently technically sophisticated or persistent.
This really gets problematic when it causes misunderstanding. A person in one of these camps writes a sentence that a person in another camp interprets as meaning something totally different. For this reason, some people are advocating that we stop using the term all together. Consider this blog post from Eric Huber titled “To APT or Not To APT?” Like Mr. Huber, I’ve become more comfortable saying the words “Sophisticated Targeted Attack” and “State Sponsored Attack,” but there are times when you really want to use the term APT.
So, who has it right? Well, the original meaning is closer to the later meaning than the former meaning – APT is a group of people.
Most people found out about the term “Advanced Persistent Threat” in January of 2010 when Google disclosed a set of attacks called “Aurora.” Few were using that term openly on the Internet prior to that date. One of those few is Mike Cloppert from Lockheed Martin, who is one of foremost experts on the subject. He defined APT as follows:
“I first heard this term used by the USAF's 8th Air Force in a small meeting in 2006. Unless contradicting evidence is brought to bear on the subject, I give them credit for coining this term, which is any sophistcated adversary engaged in information warfare in support of long-term strategic goals.” (read more)
Mandiant’s current CSO Richard Bejtlich seconded Cloppert’s origin for the term in an article in Information Security magazine but provided a slightly different explanation for the term:
“It is crucial to this discussion to recognize that APT is a proper noun. APT refers to specific threat actors; APT does not refer to vaguely unknown and shadowy Internet forces. The term is most frequently applied to distinct groups operating from the AsiaPacific region. Those knowledgeable about APT activities can conduct an honest debate as to whether the term should be used to refer ONLY to certain Asia-Pacific actors, or if it can be expanded as a general classifier. In other words, if adversaries in Eastern Europe operate using the same tools, tactics, and procedures as traditional APT, should these actors also bear the APT label?”
That discussion is vital, frankly, because of the number of incidents that have been disclosed, particularly in the past six months, which appear to be examples of sophisticated, targeted attacks from different threat actors from different parts of the world. Can we call all of these groups “Advanced Persistent Threat” or is that term only applicable to Asia Pacific groups?
The first major computer security incident that was disclosed after “Aurora” that was widely thought to be the work of a nation state was Stuxnet. At the time, Mike Cloppert wrote an essay about why he didn’t think Stuxnet was an APT. His reasoning essentially boils down to the idea that Stuxnet was a tactical tool intended to spread fast and cause damage, whereas APT campaigns involve more long term, strategic network intrusions, and so the group responsible for Stuxnet might have been a different type of group with different objectives than the typical APT group.
Furthermore, Cloppert suggested that the study of attacks launched by these two types of groups should be kept separate. If your goal is to find attacks that are trying to stay under the radar, studying a piece of malware that was widely disseminated might not teach you anything useful. You wouldn’t put any code in a widely disseminated piece of malware that is associated directly with your carefully orchestrated spying operation, would you?
We now know that this is exactly what happened. The authors of Stuxnet, or someone closely associated with them, launched at least three other, related malware campaigns, Duqu, Flame, and Gauss. All three appear to have the same sort of long term, strategic objectives that we associate with APT. Analysis of Stuxnet may have led directly to the discovery of Duqu.
It is surprising to see a direct relationship between different pieces of malware with such divergent purposes and levels of inherent exposure to analysis. This relationship is a tactical error that future campaigns may be careful to avoid. However, analysts should also not assume that this type of mistake will never be repeated. Sophisticated adversaries may have consistent behavioral patterns that show up in different types of campaigns with different objectives.
Should we call all of these threat actors “Advanced Persistent Threats?”
Ultimately, words mean what people think they mean. The word hacker has had simultaneous divergent definitions for decades and we don’t appear to be anywhere close to reaching a consensus about how to properly use it. Advanced Persistent Threat is probably also beyond repair. However, like the word hacker, it helps to be aware when you use the term APT that people may hear you say something different from what you intended to convey, and clarifying what you mean can only help avoid misunderstanding.Tweet