APT: more than a buzz-phrase?
Malware hits the Mac but is it worth worrying about?
In a presentation last week, Barclaycard head of payment security Neira Jones said "every time someone says APT, an angel dies in heaven".
Aside from the unseasonal Clarence-isms, is it the case that people are tired of hearing buzzwords, abbreviations and acronyms without any real clear explanation as to what they actually mean?
Talking last week to Graham Nash from Fortinet, he used the more PC term of 'targeted attacks', but said that often people have their own definition of what an APT actually is. He claimed that what was seen in 2011 was not a revolution, apart from the new term and concepts; rather it is the availability that has changed in the past 12 months.
He said: “Look at the key components and challenges; there is the attacking engine and crimeware-as-a-service that enables more and more people to be able to do this. In 2012 I see mobile becoming a factor too.”
Nash said the APT was often carried out following a "long gestation period" and attackers will "always find a victim", with phishing or spam messages often just precursors that deliver some malware or get an endpoint to be part of a botnet, in order to figure out a weak link in the chain.
I asked Nash if he felt then that the APT, or targeted attack, was a tool in cyber warfare. He said: “Look at the key components and motives on cyber attacks: money; geo-politics; companies; and hacktivism.
“Attacks can be high-risk and low-cost with denial-of-service or ransomware, so from an eco-politics point of view, a website can be taken down and, at worst, that is a branding problem. However, using ransomware is a risky way of doing things from the attacker's perspective, as there is no easy way to extract money and the attacker needs a method of protection for them and their assets as they do need to cover their tracks, identity and location.”
Looking forward to the rest of 2012, I asked Nash if he felt that there would be any changes from a hacker's point of view. He believed that there would be attacks on new versions of Flash or Windows and new vulnerabilities, as well as more activity as part of the evolution of threat versus mitigation.
“Also, 2011 showed that no one knew what an APT was and did not understand it. 2012 will be when companies do something about it,” he said.
“Cyber crime is costing the UK economy £27bn a year, and the key thing is at enterprise level, about what companies are doing and how they are incorporating the threat and cyber crime into their overall risk management and security controls. That will have a major impact on how much APT is taken seriously.”
So it does still remain a buzz-phrase, but APT (or targeted attack) is something to consider when assessing your risk profile, as Nash said. Yet it has the abbreviation status that can put some people off, and it may be time for researchers and writers to be a bit more serious on this subject.