APT - Advanced Persistent Threat - What is it?

APT - Advanced Persistent Threat - What is it?

The term was actually coined by the US Air Force in 2006 as a way to communicate with counterparts in the unclassified public world. If the USAF wanted to talk about a certain intrusion or attack with uncleared personnel, they could not use the classified threat name, so they choose APT as a common moniker that could apply to all such situations.

What is important when referring to an APT is that is references a specific threat from specific sources. It is not meant as a catchall description for some vague or unknown cyber-attack.

Heretofore, APT was most frequently applied to specific groups operating in the Asia-Pacific region, but there is considerable discussion as to whether adversaries in Eastern Europe operating using the same tools, tactics, and procedures as traditional APT, should also have the APT label.

In the commercial sector, an IT security professional usually does not make the distinction or really care where the threat is originating from, rather that he or she will take the same defensive actions regardless of the source or nationality of the adversary.

APT entered the common lexicon in early 2010 when Google announced its intellectual property had been the victim of a targeted attack originating from China. Although Google was far from the only victim, the company’s visibility and its high profile public disclosure put a new face on these types of attacks and the lengths attackers would go to gain access to proprietary corporate and military information.

Insofar as a definition, APT means:

Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target’s posture.

Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit, they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.

Threat means the adversary is not a piece of mindless code. The opposition is a threat because it is organized, funded and motivated. Some people speak of multiple “groups” consisting of dedicated “crews” with various missions.

In brief, APT is an adversary who conducts offensive digital operations (called computer network operations or perhaps computer network exploitation) to support various state-related objectives.

APT is characterized by devotion to maintaining some degree of control of a target’s computer infrastructure, acting persistently to preserve or regain control and access. Unclassified briefings by counter-intelligence and military analysts use the term “aggressive” to emphasize the degree to which APT pursues these objectives against a variety of government, military, and private targets.

IS APT NEW?

When the Google attack entered the public arena, many people wondered if APT was something new. The answer to this question depends on one’s perspective, plus understanding some history. As mentioned earlier, the term APT is approximately 4 years old.

Richard Bejtlich, founder of TaoSecurity and director of incident response for General Electric describes APT activity in terms of offender, defender, means, motive, and opportunity.

He breaks APT targets into four phases:

1) late 1990s — military victims;

2) 2000-2004 — non-military government victims;

3) 2005-2009 — defense industrial base;

4) 2009-present — intellectual property-rich targets and software companies.

He points out that analysts currently assess APT activities as supporting four main goals.

· Political objectives such as maintaining internal stability.

· Economic objectives that rely on stealing intellectual property from victims. Such IP can be cloned and sold, studied and underbid in competitive dealings, or fused with local research to produce new products and services more cheaply than the victims.

· Technical objectives that further their ability to accomplish their mission. These include gaining access to source code for further exploit development, or learning how defenses work in order to better evade or disrupt them. Most worryingly is the thought that intruders could make changes to improve their position and weaken the victim.

· Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces.

WHAT SHOULD DEFENDERS DO TO COUNTER APT?

The most effective counter-APT weapon is a trained and knowledgeable information security analyst. Tools are always helpful, but the best advice is to educate business leaders about the threat so that they support organizational security programs conducted by competent and informed staff.

On a technical level, building visibility in to one’s organization will provide the situational awareness to have a chance to discover and hopefully frustrate APT activities.