Published: 01 May 2014
Precise language may be the realm of editors, but there was a time -- not that long ago -- when any discussion of computer security's latest attacks had to include an overwrought dismissal of the acronym APT, Advanced Persistent Threat. Advanced wasn't right because the initial gambit was almost always a low-tech spear phishing attack. Persistent wasn't really accurate because it wasn't the attackers who made things persistent; it was the inability of organizations to read their own logs for anomalies that allowed the breaches to continue over long timeframes. More than either the "A" or the "P," the whole thing -- people would lament as they rolled their eyes -- was overhyped to the extreme.
Mandiant loved and embraced -- though didn't create -- the APT moniker, but the security industry didn't, so it created a new one, "advanced threats." Now you can "lead the fight against advanced threats with RSA Security analytics," read an Advanced Threats Report from Palo Alto Networks, and strengthen the NIST Cyber Framework against advanced threats with the Center for Strategic and International Studies.
I suspect the main problem with APT is its association with Mandiant, and more recently, the security firm's February 2013 report, "APT1: Exposing One of China's Espionage Units," which garnered worldwide attention. Clipping the phrase to "advanced threats" makes the concept more palatable to other security vendors. Plenty of who have links on their websites that talk about advanced threats and connect to pages in directories named APT.
It's really the same nomenclature, and it still doesn't work. It's not because thereisn't something there that cries out for a name and for a set of workable defensive tools, advanced threats just covers far too much ground. As a result, it virtually strong-arms vendors into making some sort of overzealous claim about detecting or halting advanced threats.
In some instances, we should just stick to the names we already have. Spear phishing is a powerful attack that isn't, in any technological sense, the least bit advanced. Of course you want to stop it. And you might stop it by using the latest, greatest threat intelligence (which is to say, someone else may have seen similar messages and sent an alert by way of a cloud-based infrastructure). There is absolutely no need to claim that this threat intelligence technology is some kind of advanced threat deterrent. It's just faster signature updates.
New classes of attack
In other instances, we might well need to acknowledge new classes of attack. There are genuinely new and advanced elements to Stuxnet and Flame type attacks. But I think there's more to be gained from talking about the specific elements, instead of saying, "Stuxnet and Flame are basically the same thing, and you should call that advanced threats."
When does this sort of specificity become important? When it enables us, as an industry, to sort out defenses that work well against certain attacks, leading enterprises to have a well-considered array of defenses, instead of building up a heap of products that protect their networks from "things that scare us" attacks.
Robert Richardson is the editorial director of TechTarget's Security Media Group. Follow him on Twitter @cryptorobert.