Advanced persistent threats: Has the industry moved on?

APT gives new meaning to targeted attacks that often rely on low-tech tactics and flawed network security.

This article can also be found in the Premium Editorial Download: Information Security magazine: Figuring out FIDO as the first products emerge:

Precise language may be the realm of editors, but there was a time -- not that long ago -- when any discussion of computer security's latest attacks had to include an overwrought dismissal of the acronym APT, Advanced Persistent Threat. Advanced wasn't right because the initial gambit was almost always a low-tech spear phishing attack. Persistent wasn't really accurate because it wasn't the attackers who made things persistent; it was the inability of organizations to read their own logs for anomalies that allowed the breaches to continue over long timeframes. More than either the "A" or the "P," the whole thing -- people would lament as they rolled their eyes -- was overhyped to the extreme.

Robert RichardsonRobert Richardson

Mandiant loved and embraced -- though didn't create -- the APT moniker, but the security industry didn't, so it created a new one, "advanced threats." Now you can "lead the fight against advanced threats with RSA Security analytics," read an Advanced Threats Report from Palo Alto Networks, and strengthen the NIST Cyber Framework against advanced threats with the Center for Strategic and International Studies.

Worldwide exposure

I suspect the main problem with APT is its association with Mandiant, and more recently, the security firm's February 2013 report, "APT1: Exposing One of China's Espionage Units," which garnered worldwide attention. Clipping the phrase to "advanced threats" makes the concept more palatable to other security vendors. Plenty of who have links on their websites that talk about advanced threats and connect to pages in directories named APT.

It's really the same nomenclature, and it still doesn't work. It's not because thereisn't something there that cries out for a name and for a set of workable defensive tools, advanced threats just covers far too much ground. As a result, it virtually strong-arms vendors into making some sort of overzealous claim about detecting or halting advanced threats.

In some instances, we should just stick to the names we already have. Spear phishing is a powerful attack that isn't, in any technological sense, the least bit advanced. Of course you want to stop it. And you might stop it by using the latest, greatest threat intelligence (which is to say, someone else may have seen similar messages and sent an alert by way of a cloud-based infrastructure). There is absolutely no need to claim that this threat intelligence technology is some kind of advanced threat deterrent. It's just faster signature updates.

New classes of attack

In other instances, we might well need to acknowledge new classes of attack. There are genuinely new and advanced elements to Stuxnet and Flame type attacks. But I think there's more to be gained from talking about the specific elements, instead of saying, "Stuxnet and Flame are basically the same thing, and you should call that advanced threats."

When does this sort of specificity become important? When it enables us, as an industry, to sort out defenses that work well against certain attacks, leading enterprises to have a well-considered array of defenses, instead of building up a heap of products that protect their networks from "things that scare us" attacks.

Robert Richardson is the editorial director of TechTarget's Security Media Group. Follow him on Twitter @cryptorobert.


This was last published in May 2014

Dig Deeper on Emerging Information Security Threats



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: