RSA breach puts APT back in the spotlight

The challenge is that many organizations aren't sure of what an Advanced Persistent Threat is.

Ever since Google announced it had been the victim of a sophisticated attack, and the subsequent breaches of many others -- including Adobe Systems, Juniper Networks, and Rackspace -- the term APT, or advanced persistent threat, has leaped from the lexicon of a few cyber-defenders in the military straight into the mainstream IT lexicon. So it has been with the public announcement from the EMC RSA Security division that it'd been the victim of an APT attack that may have resulted in some information about its SecurID tokens being compromised.

While the message of these attacks is clear -- that even the most sophisticated companies can be successfully breached -- what security managers are supposed to do with the information that APTs exist and are targeting some of them isn't so transparent.

"There's been a lot of hype from the security vendors about the APT," says a security analyst at a mid-west health care provider who asked not to be named. "It's definitely causing more business managers to ask about the threat."

Get your morning news fix with the daily Salted Hash e-newsletter! Sign up today.

But confusion about what exactly an APT is remains. "Everyone puts their own spin on the APT depending on whatever they're selling. If the vendor is in the social networking security space, they detail the APT as a social networking threat. If they're in anti-virus, they're play up the malware aspect of APT," he says. "In that sense, the security vendors are making the term meaningless."

The threat is real, however. "It may be more extensive than people realize, but it's not new," says Joe Stewart, director of malware research for Dell SecureWorks' Counter Threat Unit. "It's been going on for so long now, if there was information these groups were after they probably got it a long time ago," he says. Stewart and most experts defined the APT, when asked, as a highly skilled, motivated and financially backed attacker who is targeting a specific organization.

Some see APT as little more than marketing. "APT is part marketing FUD [the creation of Fear, Uncertainty and Doubt], and partly an attempt to categorize the increasing abilities of the attacker," says Pete Lindstrom, research director at research firm Spire Security. "In fact, it's looking like a brand-new excuse. It's just not as embarrassing to be breached by an APT as it is some scriptkiddie."

"Interestingly, all of the noise around the APT has heightened security awareness in our organization, but that hasn't translated into increased budget," says the security analyst. "And we haven't changed what we do to protect our systems, or bought any new equipment or security applications."

CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

"That's the dirty little secret of the APT," says Lindstrom. "On the defender side of the equation, you don't do anything different than try to be better at what you should be doing to begin with."

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.

Copyright © 2011 IDG Communications, Inc.

21 best free security tools to make your job easier