Have you heard of the Advanced Persistent Threat? Do you have APT?
Are you rolling your eyes yet?
Coined around 2006 by the US Department of Defense, the concept of the Advanced Persistent Threat (APT) categorized the aggressive use of cyber options by nation states. The center of a public report a few years later, it caught national attention. Then it took on a life of its own. As the initial term got co-opted for diverse needs, the mere mention of the concept is cringe inducing for many.
During a recent briefing, the person I was speaking with pointed out the ‘evolution’ of APT in a matter-of-fact sort of way. It was intended as a quick point on the way to the crux of the briefing. Except I interrupted him with a basic question:
Known for asking questions that derail planned briefings, I wasn’t sure where this would take us. His answer surprised me. Over the next 20 minutes, we spoke in detail about the evolution of the advanced persistent threat and why it mattered.
As a result, I’m convinced. The landscape has changed, and with it, the concept of APT needs to change. We need to adjust some of our methods, too.
To go deeper and get a broader perspective, I spoke with Colonel (USA, Ret) Barry Hensley and Aaron Shelmire from Dell SecureWorks. They are part of the team that actively pursues advanced threat actors.
The origin of APT -- and why it creates confusion
Originally the term Advanced Persistent Threat (APT) described the actions of a nation state. The goal was to identify the specific unit, team or (in a perfect world) the individual threat actor involved in the cyber activity. This level of detail enabled counter operations through legal, diplomatic, or even military methods. True attribution of threat actors is complex, difficult, and often produces little return on investment.
Therein lies the limitation of the concept. Most organizations lack the resources and ability (especially the diplomatic and military options) to actually determine attribution associated with a breach. Even if they did, it is nearly impossible to bring justice to those threat actors.
As Colonel Hensley (USA, Ret) explains, “Even if you are not being targeted by a nation state, you should be just as mission ready or battle focused to repel an advanced threat specifically targeting you based on your organization's assets.”
The solution is to embrace and promote the evolution of APT to the threat we actually face today: advanced threat actors working in groups.
The evolution from APT to Threat Groups
Regardless of ability to pinpoint individual threat actors, knowing where to look provides a treasure trove of actionable intelligence. The focus shifts to collecting and grouping the methodologies and approaches into “threat groups.” Then track how the ‘group’ progresses, including specific tools, methods, and even the types of usernames and passwords they check/use/create by default.
This approach works whether the ultimate actor is a person or a group because it allows the correlation of security incidents to a known entity with a definable objective. For most organizations, that is more important than individual attribution.
As Colonel Hensley explains, “We often do not have complete data and visibility into each component of a threat actor, which is why we rely on a combination of attributes to focus on threat groups. We may not know the actual person at the keyboard; however we do know their intent, common infrastructure, tools, common mission, and distinct operating methods.”
Are they still “advanced?”
What makes them advanced is the combination of preparation and methods used -- not the tools and the specific attack. Advanced threat groups specialize in evading controls. In fact, threat groups don’t always bring their “a” game, especially if they don’t have to. Easier targets or methods that allow them to use simple/existing/masked techniques are actually a smart way to get their job done.
Colonel Hensley points out that “Usually targeted threats will not spend more resources than the value of the asset being targeted; however, an Advanced Persistent Threat has been given unlimited resources to accomplish their stated mission objectives.”
Colonel Hensley and Shelmire talked about sorting attacks into three basic buckets, or categories:
- Commodity: largely comprised of automated attacks of opportunity. By exploiting anything and everything found, the access or resources are simply resold for gain for the threat group.
- Broad, targeted: these threat groups tend to possess a broad focus and outcome instead of specific target; for example, retailers and credit card information. They use whatever methods allow them to achieve their goal, often resorting to the least effort required.
- Specific, targeted: these threat groups focus on a specific target, perhaps a specific outcome; they, too, use just the tools and approach necessary for success.
In the case of the targeted attacks, the groups are methodical, patient, and highly resilient. Understanding the differences is valuable for attribution and gaining a window into the mindset of the specific threat group.
APT or Threat Groups, we need to pay attention
Whether you like the terms or not, the threat is real. Shelmire explained they are currently tracking over 100 (and growing) threat groups from over 30 countries. In roughly over 50 engagements last year, the team found:
- Only 1 engagement without any signs of targeted activity at all
- The majority of compromises resulted as a combination of spear-phishing and scan-and-exploit style attacks; the use of insiders to implant backdoors was also discovered in multiple cases
- 2 were victims of “watering hole” attacks, a “strategic web compromise”
- 1 destructive attack resulted in company-wide internal system and network downtime
- 45 attacks were assessed as targeted for their data
Sometimes you don’t know you were the victim of a targeted threat group until after you (or someone else) connect the dots (another good reason to understand how people use your systems).
In fact, some groups are successful without using any “malware” tools at all; relying instead solely on compromised credentials. According to Shelmire, “If you’re not hunting the threat groups, then you are the one being hunted.”
What it means: assume breach -- when, not if
We’re at an inflection point in the approach to information security. Our bias for breach prevention created some blind spots. Now we need to shift to an assumption of breach.
By starting with the base assumption that an attacker, in any of the above categories, will be successful, our actions necessarily change. While we continue to need appropriate prevention, it drives a need for better, rapid detection and appropriate, quick response.
According to Colonel Hensley, the “ultimate goal in understanding today's advanced threats is reducing time to detect while minimizing time to respond in order to minimize impact of a breach. We need to intercept the advanced attacks as far up the kill chain as possible while forcing the adversary back to the drawing board as we also regroup realigning our security controls based on most recent tactics allowing us to fight another day.”
That means a team prepared and able to deal with it. According to Shelmire, “most in-house teams will likely see an attack like this every 1-3 years. Due to our work, we see 2-4 each month.”
The systematic approach to prevention - detection - response requires a different ability to communicate with a specialized skillset to capture and interpret a myriad of data points. For many organizations, that means reconsidering the current approach to threat intelligence and incidence response teams, including partnerships.
Three key takeaways
The evolution of the term APT to Threat Groups boils down to three clear actions:
1. Embrace the concept of APT and the evolution into threat groups
Since the concept of APT as broadly interpreted creates as much confusion as interest, the term can safely be retired (unless you fit the profile). Then embrace the concept of threat groups. Focus attention on the “advanced” methods, tactics, and patience to achieve their ends. Remember to separate the actor (or group) from the exploit.
2. Be prepared to explain it, properly, to others
This is a longer-term effort that takes some work. In the short run, when using the term APT and shifting people to the updated thinking on threat groups, focus on making sure everyone is actually on the same page. Realize that people are likely to be at different points in their journey of understanding and come from different contexts. That means taking extra time to craft and share stories that bring people to mutual understanding.
3. Use the evolution of APT as an inflection point to shift and improve tactics
Adopting the attitude of “assume breach” combined with the ability to separate the actor from the attack yields insights into the motivation of the threat group. When we understand motivation, we can take better actions -- across prevention, detection, and response. This means the ability to increase the friction for attackers in the right way, at the right time, while still easing the pathway for authorized business use.
The change starts with our mindset
It sets the stage for a blend between traditional approaches and new methods of dealing with changing threats. Instead of always winning or losing, consider breaches as tactical engagements. As such, the goal is to learn from each ("win" or "lose") and look for ways to advance the entire organization.
Ultimately, we need to drive to new and better ways to automate, inform, and act. Get started today and together we make a difference.