Addressing the Advanced Persistent Threat (APT)

In the past few weeks, the Advanced Persistent Threat (APT) has been all the rage in the infosec world.  Security professionals everywhere are taking sides about whether APT is new or not, despite (or perhaps due to) the lack of a clear and consistent definition.

It started with Google suggesting (but not explicitly stating) that the Chinese government was responsible for a series of attacks against a few dozen U.S. companies. Many folks took up the charge, further strengthening the position that the Chinese government was involved with sparse new evidence but significantly more outrage. (There was some recognition that it is difficult to confirm the source of any attack let alone one coming from a country of several billion.)

The APT advocates are adamant that APT is something new and worthwhile despite the fact that they can’t say much more about it. Detractors simply laugh and say there is nothing new here. Marketers salivate because they know that new or not they have a great buzzworthy term around which to plan their next marketing campaign, to the chagrine of the advocates and the chiding of the detractors.

My take:

Whether or not APT is new only matters to the extent that it can (or should) change the nature of the defender. So, a change to the “heart and mind” of the threat is insignificant unless it provides us with some other means of defense. For those in the military-industrial complex, there may be diplomacy methods or other stealthy actions that can be taken to address the APT. But for most, there isn’t a change here.

It is worth noting two different aspects of APT that are meaningful as we continue to develop our defenses. First, there is an increase in risk. APT is indicative of a higher benefit to the attacker and therefore a higher level of threat to the defender. In addition, given the persistence of the attacker it is reasonable to believe that the consequences could be higher. Therefore, overall risk is increased.

Second, there may be a shift in focus from incidence to prevalence. In epidemiology, this is the difference between the number of new instances of compromise to the total number of compromises at any given point in time.  This may trigger a move from prevention to (compromise) detection.

There is a power struggle going on between attacker and defender that will determine the extent to which detection techniques should be emphasized. As prevalence numbers go up (if they go up) then more attention is needed on detection.

As far as the marketing buzzworthiness is concerned, it is not something generally controllable by security professionals, so a little serenity praying can go a long way. My recommendation is to ignore it.