Information Security

Defending the digital infrastructure


Manage Learn to apply best practices and optimize your operations.

Advanced persistent threats: Has the industry moved on?

APT gives new meaning to targeted attacks that often rely on low-tech tactics and flawed network security.

Precise language may be the realm of editors, but there was a time -- not that long ago -- when any discussion of computer security's latest attacks had to include an overwrought dismissal of the acronym APT, Advanced Persistent Threat. Advanced wasn't right because the initial gambit was almost always a low-tech spear phishing attack. Persistent wasn't really accurate because it wasn't the attackers who made things persistent; it was the inability of organizations to read their own logs for anomalies that allowed the breaches to continue over long timeframes. More than either the "A" or the "P," the whole thing -- people would lament as they rolled their eyes -- was overhyped to the extreme.

Robert RichardsonRobert Richardson

Mandiant loved and embraced -- though didn't create -- the APT moniker, but the security industry didn't, so it created a new one, "advanced threats." Now you can "lead the fight against advanced threats with RSA Security analytics," read an Advanced Threats Report from Palo Alto Networks, and strengthen the NIST Cyber Framework against advanced threats with the Center for Strategic and International Studies.

Worldwide exposure

I suspect the main problem with APT is its association with Mandiant, and more recently, the security firm's February 2013 report, "APT1: Exposing One of China's Espionage Units," which garnered worldwide attention. Clipping the phrase to "advanced threats" makes the concept more palatable to other security vendors. Plenty of who have links on their websites that talk about advanced threats and connect to pages in directories named APT.

It's really the same nomenclature, and it still doesn't work. It's not because thereisn't something there that cries out for a name and for a set of workable defensive tools, advanced threats just covers far too much ground. As a result, it virtually strong-arms vendors into making some sort of overzealous claim about detecting or halting advanced threats.

In some instances, we should just stick to the names we already have. Spear phishing is a powerful attack that isn't, in any technological sense, the least bit advanced. Of course you want to stop it. And you might stop it by using the latest, greatest threat intelligence (which is to say, someone else may have seen similar messages and sent an alert by way of a cloud-based infrastructure). There is absolutely no need to claim that this threat intelligence technology is some kind of advanced threat deterrent. It's just faster signature updates.

New classes of attack

In other instances, we might well need to acknowledge new classes of attack. There are genuinely new and advanced elements to Stuxnet and Flame type attacks. But I think there's more to be gained from talking about the specific elements, instead of saying, "Stuxnet and Flame are basically the same thing, and you should call that advanced threats."

When does this sort of specificity become important? When it enables us, as an industry, to sort out defenses that work well against certain attacks, leading enterprises to have a well-considered array of defenses, instead of building up a heap of products that protect their networks from "things that scare us" attacks.

Robert Richardson is the editorial director of TechTarget's Security Media Group. Follow him on Twitter @cryptorobert.


Article 7 of 7
This was last published in May 2014

Dig Deeper on Emerging cyberattacks and threats

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I think you miss the fundamental characteristic of APTs: the cost and effort an attacker is willing to invest in reaching attack objectives.

Both APTs and non-APTs are likely to used the same tools and techniques to attack a target, the non-APT tends to focus on ROI. In other words, at the point where the combination of both hard and soft costs equals or exceeds expected value related to reaching attack objectives, the non-APT will disengage and go someplace else. The smart non-APT will perform a cost-benefit analysis during information gathering and scanning/enumeration phases.

The APT is usually driven by motives arising from political, social, or other non-fiscal movements. Because of this, cost-benefit is either not a factor or the value of the targets far exceeds (priceless) attack related costs. For example, a government will likely see the cost of industrial and defense system espionage activities against networks owned by foreign governments or defense contractors
as very small when compared with the value of success.

In summary, an APT will expend whatever resources necessary to reach expected outcomes.
Thanks for the comment. I think we're coming at this from different sides of the coin, and it makes a difference. You're using APT to refer to nation-state attackers, which is entirely appropriate. Motivation is an important part of understanding how an APT (in this context) is likely to behave.
I'm talking about something different, namely, the way vendors talk about their products as stopping "advanced threats" (and before that, "APT"). I think if you're making claims about being able to defend against a type of attack, you actually need to be talking about a *type* of attack, not something nebulous like "advanced threats." Does your product stop DNS amplification attacks? Great. Could that be used in an APT-style attack? Sure, but that's not the way to talk about it.

Get More Information Security

Access to all of our back issues View All