The RSA incident of last month has led to debate on the way that the company was hit by an ‘advanced persistent threat' (APT).
Last year Dwayne Melancon, vice president of log management at Tripwire, looked at how APTs work and impact the target. With APTs being back in the headlines it led me to question what exactly an APT is. David Jevans, chairman of IronKey and chairman of the Anti-Phishing Working Group, said that an APT is advanced because it uses several latest techniques and multiple channels and ways to get control.
He said: “There are very intelligent people on the other end who are stealthy and doing intelligence in a way that is not being detected and making their efforts look like regular traffic.”
Blogger Jacob Appelbaum said on his Twitter feed that ‘the joke about the APT paradigm is that it is rarely advanced. The threat is merely just persistent and the target is simply vulnerable'.
I asked David Harley, senior research fellow at ESET, what he thought an APT was and what was so advanced about it, other than that it is persistent. He said that he felt that the term was ‘too fuzzy to tell anyone anything much' and in the case of RSA, it was too hard to understand anything about the threat from what it had said that the RSA statement, or what RSA understands by an APT.
“My first thought was that it might be an incursion initially based on a successful targeted phishing attack. Would that count as an APT? I can't say without more detail,” he said.
Breaking down the definition, Harley said: “I don't think advanced really means advanced. Rather, it seems to mean ‘as sophisticated as it needs to be'. So it could be unremarkable social engineering or a known and mitigated/patched vulnerability, escalating to one or more advanced zero-days if needed.
“I don't think persistent means persistent either, at least in terms of a repeated single attack. I think it means pursuit of a long-term goal that might merit a highly adaptive attack strategy.
“The distinction in the commonly used APT definitions between a threat and an attack using automated code could be viable and even useful, but it's by no means universal. In fact, our labs use the term threat routinely to describe malware without necessarily making any implicit statement about the originator(s) of the code or their motivation, and I don't particularly see why we should.
“But then, I don't actually find the APT term particularly useful. Perhaps that's because of the market segment I currently work in, but I don't see what makes the common definitions (which seem to be remarkably close to the Wikipedia definition or vice versa) authoritative rather than buzzwords.”
A blog by SecuriTeam also criticised the APT term, as it said that ‘Advanced Persistent Threat' is pretty meaningless and actually hides what is going on.
“Yes, I know that it is embarrassing to have to admit that you have been tricked by social engineering (which is, itself, only a fancy word for ‘lying') and tricked badly enough that somebody actually got you to run a virus or Trojan on yourself. It's so last millennium. But it's the truth, and dressing it up in a stylish new term doesn't make it any less so,” it said.
Chris Eng, senior director of security research at Veracode, said: “The recently acknowledged existence of APTs encourages companies to feel less accountable for security breaches. What I mean by this is that companies will take cover under the APT umbrella to detract from the fact that they have not been following best security practices with respect to application security and other parts of their infrastructure.
“There's an expectation that the media thrashing will be more restrained if you claim to be a victim of APT, because the attack must have been so unbelievably sophisticated. From a PR standpoint this is preferable to admitting that one of your laptops was stolen or that an attacker broke in via a SQL injection vulnerability in a website that you neglected to test. The added bonus with APT is that you can withhold information and claim that it's too sensitive to disclose!
“APTs, or whatever you want to call them, do exist. There are nation-states building sophisticated information warfare capabilities and there is incentive to target prominent companies. Many attacks may go undiscovered. Those are the real APTs. Just because an attack uses social engineering or gains access to your intranet does not make it ‘advanced'. Let's not be so quick to call everything an APT.”
These perspectives suggest that in fact there is a lot of opposition to this term and the generalisation created by those three words. While this is a concern to businesses, it could be argued that there is no more of a threat than with a malware attack. If RSA had been hit by a malicious threat would it have had experienced such an incident and caused such headlines, or does an APT just sound a bit more cool?