In depth: What does APT really mean?

And what should companies do about truly persistent threats?

Every couple of years the security world faces its version of Jason or Freddie or Ghostface, some malevolent force that aims to end life as we know it. From the worm to the virus to the Trojan horse to phishing to SQL injection to the Zero Day Exploit, these serial killers build on one another and torture the dreams of CSOs.

Now, we face a malicious threat made worse by its malignant name: the Advanced Persistent Threat.

Clearly, the names of these security threats have gotten less interesting with time. But every CSO can spell APT. So can every security marketer, and they tend to stamp the label on everything in sight.

Partly that's because a string of high profile companies have suffered losses from APTs. Google, among the most vaunted names in technology, suffered an APT. RSA—a fabled name in security itself —confessed that some advanced and very persistent hackers not only threatened it but also made off with information related to its SecurID line of products. The Internet Security Alliance told companies in the defense industry that APTs were "a near-existential threat," back in 2009.

Despite such dire words, the defense industry persists, thrives even. And at least one CSO dismisses the term "APT" as a lot of marketing hype.

"The phrases that security vendors want to scare you to death with are kind of new, but this is stuff you should've been worried about as a CSO eons ago," says Ken Pfeil, CSO at Pioneer Investments, an investment management firm in Boston.

[Also read Advanced Persistent Threats can be beaten, expert says]

Notice that Pfeil does not say advanced persistent threats don't exist. They do, and he thinks CSOs should be worried about them. What gets him going is the idea that there's a simple product one can buy to keep a company safe. When he talks with CSOs, he says, "a lot of them are not very technical, and they buy into vendor speak: 'If you buy this product it's going to protect you from APTs.'"

It's a natural human reaction to think that when a problem arises, a clever technologist will come up with a product to counteract it. Unfortunately, no single product can stop an advanced persistent threat. "What it means, in layman's terms, is, 'we got hacked,'" Pfeil says.

He says advanced persistent threat gives CSOs public relations cover; something like, "They used an advanced persistent threat to compromise some insecure channels to gain access to blah blah blah" sounds more forgivable than "we got hacked, and they got all our data."

What is an APT?

The National Institute of Standards and Technology provides a detailed definition:

"An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating (i.e., transporting it from internal networks to external servers) information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders' efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives."

All that boils down to one simple phrase: APTs are about stealing data over time. Hackers capable of carrying off advanced persistent threats seem to share a few characteristics:

They are bright. They are talented enough to write sophisticated viruses, worms and other malware programs, and to disguise them so that the myriad firewalls and AV and IDS and other tools do not find them, even when they are siphoning information back out of the network. In some cases, particularly those involving banks, the hackers have to organize groups of people to do things like withdraw money from ATMs and deposit it into other bank accounts.

And, like good CSOs, these hackers have to understand the whole IT environment, not just the network.

They are methodical. They buy and run all the significant antivirus tools, using them to test their code before they let it out in the wild, to make sure it won't get caught quickly or be noticed by future updates.

They are patient. Unlike on the SyFy channel or in the movies, hackers don't typically break into corporate networks with a few keystrokes, although some automated attacks might make it seem that way. Hackers may also slip in via social engineering. Skill with people is an underrated aspect of hacking. Breaking into a network through a human link can be easier than figuring out a way past technology, particularly if a company has done a good job blocking its network's doors and windows.

Such attacks have always been part of the computing world, says Greg Shipley, until recently CTO of Neohapsis, a security consultancy in Chicago. Shipley says Neohapsis saw "multiple breaches" in the late 1990s and early 2000s that would have fit the current definition of an advanced persistent threat: previously unknown toolkits used in a sophisticated way to penetrate an organization's network undetected, and to stay that way despite the hacker coming back again and again.

What has changed about such attacks, he says, is volume. "There's definitely more of this going on. There are more people at it," Shipley says. Some of that increased action comes from governments ramping up cyber espionage.

But, "cut out the nation-state thing for a minute and look at just straight-up criminals. I don't think anybody would argue that there aren't more criminals involved in computer-based attacks today than there were just 10 years ago."

Shipley says an increase in the number of attacks makes sense, given that Western society is far more technologically oriented—and dependent—than it was a decade ago. Mobile devices such as cell phones are now widespread, and consumers are broad adopters of digital technologies, many of which were not available in the past.

Pfeil says another difference is that business-side executives will sidle up and ask him what to do about buzzword security problems. They don't necessarily come offering money. He says the hard truth for CSOs when it comes to advanced persistent threats is that "from [the business] perspective, this is not really a new type of attack. It's stuff that they can say 'I funded you eight years ago against these types of things, and now you're telling me you did not provide adequate resources against them?'"

Plenty of CSOs, though, are finding business execs are willing to add some money for protection against sophisticated hacks. An August 2011 Enterprise Strategy Group survey of 244 security professionals who work at large enterprises (companies with at least 1,000 employees) found that 77 percent of large companies would increase security spending, including spending on training, because of the APT phenomenon. Half of those surveyed called APTs a new kind of threat, unique to the security industry.

"I was surprised that more people weren't dismissive about them," says Jon Oltsik, an analyst who led the survey for Enterprise Strategy Group.

Persistent little buggers

These three different kinds of attacks are usually lumped into the category of advanced persistent threat:

Hacktivism attacks, such as the releases of confidential information by WikiLeaks, or highly targeted attacks by groups like Anonymous and LulzSec.

Attacks by nation states. Espionage is as old as politics. Governments are widely thought to organize long-term, patient attacks on rivals. Such attacks have traditionally been on other nations' agencies, a kind of cyber James Bond action. Hence the Stuxnet attack that damaged Iran's power grid, notably two of its nuclear reactors. The United States, possibly working with Israel, is thought by many to have been behind the Stuxnet attack; the United States claims Russia did it.

For CSOs, the danger of nation-state attacks appears to be the advantage of being highly targeted and backed by the most patient kind of money. It's fun to sneer at the competence of governments, but look at the alleged exploits of the Chinese. China was accused of compromising Google, was fingered indirectly in the RSA attack, and recently was alleged to have infiltrated more than 760 companies worldwide, including one that provides Internet access to hotels, giving its hackers access to guests' e-mail threads.

China denies any such behavior. But one report put China's APT success in 2010 at $500 billion worth of information stolen in the United States alone. Not all CSOs work at companies that make good targets for cyber espionage, of course, but any CSOs at companies engaged in cutting-edge research or in businesses that matter to a nation's well-being should consider themselves targets.

Attacks by organized crime networks. Organized crime leaders see the money out there in cyberspace. They have the resources to employ top-notch people and give them the time they need to work a good hack. (See Organized cybercrime revealed.)

Of these three, hacktivists seem to be the least likely perpetrators of APTs. "They're advanced and a threat," says Marc Maiffret, CTO at eEye Digital Security in Irvine, Calif. But they aren't trying to hide their actions, which means their attacks aren't persistent.

Some businesses are more likely targets for attacks than others. As noted, firms with defense contracts, financial services firms and companies with important intellectual property, including not-so-visible assets like groundbreaking manufacturing processes, make more lucrative targets than those that don't.

Whoever they are, and whatever their motives, hackers capable of pulling off a successful attack like the ones on Google, RSA Security and Heartland are clearly out there. CSOs need more than just a buzzword to beat them back.

Fight or flight?

Advanced persistent threats are the sort of thing Sun-Tzu would have loved: an attack that happens without its victim knowing. How does a company defend itself against the invisible? "That's the gazillion-dollar question," says Shipley.

The only easy answer: go offline.

Shipley says almost all the simple ways to track network intrusions and anomalies are already pretty well known and available. "We've solved most of the easy stuff," he says. What's left? Strategies like these:

  • Do a better job of assessing technology before adopting it.
  • Hold technology vendors accountable for introducing vulnerabilities into systems, or introducing products that come with vulnerabilities.
  • Make risks clearer to non-technology executives.

Maiffret says that while advanced persistent threats are difficult to stop, some simple precautions can help. He notes that if companies had followed Microsoft's best practices for dealing with file permissions, they wouldn't have needed to worry about Stuxnet.

"Just by having good file permissions, you would have mitigated that vulnerability, and Stuxnet would've failed to exploit that [vulnerability]," Maiffret says.

In the wake of Stuxnet, he says, a large bank asked eEye to do a risk assessment to see if it would have to patch a few hundred thousand Windows computers, which would have been very costly. Maiffret says the bank had in fact implemented those permissions properly by following Microsoft's best practice guide.

Oltsik says CSOs need to look at every layer of security infrastructure as well as examine their security policies and employee training practices. "The people who are most prepared are consistent in so many areas," he says.

Whether you think all the talk about APTs is mere noise or a megaphone call, the business side has heard it. Oltsik says that this gives CSOs an opportunity. They can no longer complain that executives don't understand security.

"Execs are coming back and saying, 'you need to tell me where we are,'" he says. He advises CSOs to respond with metrics and third-party assessments of their network configurations.

APT might be just a new acronym for a threat that's persisted since before CSO was a title. But in technology, a slight twist to an old idea can be enough to reshape a landscape. It's happened in personal computers, in social networks, in speech recognition, to name just a few. Oltsik says the rise of APT as a buzzword might mean the same shift for CSOs.

"We are on the cusp of major changes," he says. "Security will become more integrated into business processes. CSOs will need to work more closely with CIOs so there is oversight when a company is bringing in mobile applications or new devices. And there's going to be real pressure on security vendors to come up with integrated enterprise end-to-end kind of tools."

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)