The term advanced persistent threat (APT) has been thrown around rather loosely since Google made it publicly known...
at the beginning of 2010 that its intellectual property had become the latest victim of a targeted, persistent attack. For two years, the definition of the term APT has become increasingly muddled.
Because of the confusion, organizations sometimes misunderstand the dangers and characteristics of APT-related attacks, often labeling any kind of attack or breach as an APT. Yet, an APT attack isn’t just any kind of intrusion, it’s a uniquely complex, determined attack with a specific target in mind. Many frequently apply it to distinct groups operating from the Asia-Pacific region.
“There’s plenty of confusion around the topic,” said Richard Bejtlich, chief security officer and vice president of MCIRT at security company Mandiant. “It became a buzzword that all sorts of vendors started using when they didn’t exactly know what it was.”
A direct result of the confusion around APTs leads companies to often misappropriate resources, making unnecessary or uninformed investments. According to a 2010 report conducted by Mandiant, there is a surplus of organizations doing this.
“Although the U.S. government and defense communities are aware of and countering APT attacks, many victims and targets are unaware and unequipped. Often, victims of the APT react in a way that does more harm than good,” explained the Mandiant report, titled The Advanced Persistent Threat.
The report claims only 24% of malware used in APT attacks, which the company discovered and examined, was detected by security software. Organizations often rely on malware signatures, such as those used by traditional antivirus or intrusion detection, or filename matching and MD5 hashes, which, more often than not, fail to detect APTs.
“The primary reason organizations fail to identify the APT is most of their security devices examine inbound traffic at the perimeter,” said the Mandiant report. It goes on to explain that although host- and network-based signatures often work to identify attacker activity, it doesn’t always lead companies to the general conclusion that they’ve been breached by an APT attack.
Today, security professionals can argue over the definition of the word but its meaning stems from the military when the U.S. Air Force allegedly coined the term in 2006 to communicate classified information to unclassified people. However, some experts suggest it actually dates back to 2003 when a coordinated attack dubbed Titan Rain compromised terabytes of data from the U.S. Department of Defense.
According to the U.S. National Institute of Standards and Technology (NIST), this type of attack “pursues its objectives repeatedly over an extended period of time, adapts to defenders’ efforts to resist it and is determined to maintain the level of interaction needed to execute its objectives.”
Last year’s Aurora attack on Google and other enterprises put a high-profile face on APT attacks that not many understood, making it much too easy for security vendors to take advantage of the confusion. Because of this, the vendor marketing of alleged APT solutions took off at a running start, beginning with the RSA Conference 2010.
“There’s a little squishyness to the definition,” said Jon Oltsik, senior principal analyst at Enterprise Strategy Group (ESG). “Marketing people don’t always use the [NIST] definition.”
According to the U.S. Advanced Persistent Threat Analysis, a study conducted by ESG, 8% of the 244 security professionals polled claimed they were not that familiar or not at all familiar with the concept of APTs, yet 59% still claimed they are certain or fairly certain their organization has been the target of a previous APT attack.
“Many organizations are spending almost all of their security budgets on preventive solutions,” said Bejtlich. “You’ll spend all these resources on preventing, but there’s a good chance that if you’re an organization of decent size, you’ll be compromised.” He added that it’s not just about stopping, but also detecting and responding to an APT.
In The Advanced Persistent Threat report, Mandiant discusses a case dealing with an APT attack at a federal government entity. The organization responded to the attack by immediately pulling the compromised systems offline and collecting the malware in hopes of identifying callback domain names and IP addresses. This information was then used to block those systems’ access to the network. However, in doing this, the organization simply allowed the attacker to identify the compromised systems and malware that the victim had discovered, therefore enabling the intruder to leverage other systems and malware that had not yet been detected.
Ultimately, the federal government agency wasted time, effort and resources in finding the intrusion, while the attacker simply moved laterally through the network to compromise more systems. By panicking and rushing to immediately pull the compromised systems offline and collect the malware without understanding the tools and techniques of the intruder, remediation failed, and almost always will fail. Mandiant explains that the government entity should have decoded the APT command-and-control protocols thus giving them insight and understanding of the APT activities and of what and who was being targeted.
APTs aren’t a foe organizations should take lightly. According to Bejtlich, “APT does not refer to vaguely unknown and shadowy Internet forces. … APT incidents are not hit-and-run, smash-and-grab affairs.”
According to ESG’sU.S. Advanced Persistent Threat Analysis, 93% of the security professionals polled said they are either extremely concerned or concerned about the impact that APT attacks could have on vital interests like national security and the economy. Also worth noting is that 79% of organizations are lacking the essential security knowledge, processes and technology defenses needed for ample protection against sophisticated cyberattack methods, such as an APT.
“APTs are there, they are definitely targeting through very sophisticated means for specific data,” said Ed Brice, senior vice president of worldwide marketing at Lumension. “When you look at the bulk of everyday companies, zero-day malware targeting vulnerabilities by third-party applications is the most pressing concern.”
Added ESG’s Oltsik: “If you understand what it is and what it does, you wouldn’t confuse APTs with other attacks.”