I've never liked the APT acronym. In my estimation it's just another three-letter acronym security vendors use to scare businesses into buying their products. Whenever I hear it, I think of another three-letter acronym vendors overused in their sales pitches: PCI, as in, "buy our product and you'll be PCI compliant."
So it's somewhat ironic that I'm about to use the post of a vendor to bolster my point.
Related article: "APT in action: The Heartland breach"
Aviv Raff, CTO of Seculert, has a new post called "APT - Just *A* Persistent Threat," in which he cites research showing that such attacks really are not all that advanced after all. He writes, among other things:
In July, the Mahdi malware successfully targeted different entities from specific industries in the middle east. The malware itself was not very sophisticated, however it was able to infect and monitor over 1,000 targeted machines. And the attackers behind Mahdi are continuing to do so today.
In late August, Shamoon arrived targeting the Energy and Oil companies in the Arabian (Persian) Gulf. Again, while it was effectively destructive malware (wiping 30,000 machines), the code itself was not advanced. Moreover, it seems Shamoon was part of a persistent two-stage attack, meaning there was another malware involved that bypassed on-premise security solutions and was wiped by Shamoon to cover the attacker's real intention.
If we return to the RSA breach, the malware involved in this attack was also not sophisticated. It was a four-year-old, freely available downloadable Remote Access Tool called Poison Ivy. The attackers were using a non-advanced malware, but because it took RSA six months to identify the attack, it was persistent enough to be called APT.
So if you're a vendor telling potential customers about their risk from APTs, you're not being entirely honest if the examples you cite are more simple than advanced, right?
Related article: "In depth: What does APT really mean?"
I'm not suggesting that security vendors are outright liars. I know a lot of smart, dedicated people on the sales and marketing side of these companies. The issue here is that vendors love buzzwords and acronyms. It makes the sales pitch easier. That's why they loved SOX, HIPAA and PCI.
The problem is that along the way, the acronyms start to lose all meaning. They just float around like the little pasta letters in alphabet soup.
A George Hulme article on the Advanced Persistent Threat from last year makes the point. At the time, one security analyst told him:
"Everyone puts their own spin on the APT depending on whatever they're selling. If the vendor is in the social networking security space, they detail the APT as a social networking threat. If they're in anti-virus, they're play up the malware aspect of APT.In that sense, the security vendors are making the term meaningless."
In other words, when everything is an APT, nothing is.
I don't pretend to have the answers. But as someone who's been covering security for nearly a decade, I've seen how slinging around certain words and acronyms can do more harm than good.
The best example is when every vendor who claimed to find a new threat would call it something starting in "ph" a la phishing, phreaking and phlooding. Of those three "ph" words I just mentioned, phishing is the only one I can define.
The acronyms are a lot more specific -- until vendors get their hands on them.
It's easy to see how this sort of thing happens.
We just need to be aware and minimize it.