Just a Reminder for RSA: The “P” in APT stands for “Persistent”

RSA’s Chairman Art Coviello has issued an open letter to its customers about a security breach that resulted in lost information related to SecurID. Two lines don’t seem to go together:

“Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure”

and

“Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT).”

So, surprise, surprise we are getting folks discussing whether this actually fits in the most ambiguous category in the history of infosec – APT, and heck I am going to throw in my literal interpretation for the single word that actually has some specificity associated with it: Persistent. I suppose you could look at it two different ways – persistent in the manner of identifying recurring attacks from the same source, or persistent in its ability to compromise resources and stick around for a while. Neither seem to be the case here.

I feel RSA’s pain, because there is no honor in being hit with your general garden-variety plain old “T” especially if you are a security company. But they should also feel better because as we know both “Ts” and “APTs” use the same techniques… which of course also means that you can’t tell if it was an APT or not unless you have recurring information of correlated attacks or actually find out their motives later.

Seriously, are we really going to be stuck for the rest of our careers deciding what is or isn’t an APT? Let’s hope the term flames out quickly.