Or: why \u201cadvanced persistent threat\u201d is the wrong phraseGoogle\u2019s revelation that it was hacked by (likely) Chinese actors has helped propel another round of stories, blog posts, and analyses about What It Means. I have participated in some of these discussions, and my colleague Chenxi Wang has written several illuminating posts about the nature of the attacks.The specific means of compromise, a zero-day Internet Explorer exploit, has raised awareness of a phenomenon referred to as the \u201cAdvanced Persistent Threat,\u201d\u00a0concisely described by Lockheed Martin\u2019s Mike Cloppert as \u201cany sophisticated adversary engaged in information warfare in support of long-term strategic goals.\u201d In his posts, Mike also nearly always uses APT in conjunction with the word \u201cactor\u201d (as in: APT actor) because he means a particular adversary. Mike's definitions are important because they help clarify what APT is, and what it is not. Expanding on his definition a bit, here is what I believe APT is: A sophisticated adversary engaged in electronic espionage to support long-term strategic goals (more or less what Mike said, minus the red-herring word \u201cwarfare\u201d) A politically correct euphemism for Chinese and other state-sponsored actors who steal company secrets A permanent campaign focused on the theft of intellectual property What it is not: A specific attack\u00a0 A specific attack\u00a0method that can be detected by a product A type of threat that affects everyone.\u00a0Mandiant argues\u00a0that "[APT] isn\u2019t just a government problem; it isn\u2019t just a defense contractor problem; and it isn\u2019t just a military problem. The APT is everyone\u2019s problem\u201d I think that Mandiant's post is a little confused and\u00a0sensationalistic, which is surprising because they are some of the smartest, sharpest people I know. Saying \u201cit can happen to anyone\u201d is sort of\u00a0like saying that anyone can be mugged. That is true, but you are more\u00a0likely to be mugged if you live in crime-ridden area, and have a habit\u00a0of walking around alone at night while drunk and waving around a lot of money. That does not mean that everyone needs to buy\u00a0flak jackets, hire bodyguards, and contract Kroll (or Mandiant, in this case) to assess their security programs. But it does mean those that face more risk\u00a0because of their available assets and competitive environment need to\u00a0be aware that there is at least one big adversary who might fleece\u00a0them blind if they decide to. In those cases, you do need advice, and a strategy.The \u201cAPT\u201d \u00a0is about\u00a0theft. It is not about \u201cwarfare,\u201d not about \u201cmalware\u201d (advanced or not), and certainly not about run-of-the mill \u201cthreats\u201d that your favorite anti-malware company can help you with. It is about specific threats from your determined adversaries, who use methods appropriate to their objectives \u2014 of which malware is one. The P (\u201cpersistent\u201d) is the only part of the \u201cAPT\u201d acronym that I agree with.If you fall into the category of companies that might be targeted by a determined adversary, you\u00a0probably need a counter-espionage strategy \u2014 assuming you didn\u2019t have one already.\u00a0By contrast, thinking just about "APT" in the abstract medicalizes the condition and makes it treatable by charlatans hawking miracle tonics. Customers don\u2019t need that, because it cheapens the threat.What does this mean for security vendors? Security vendors who are smart will not think about "APT" as a product feature. It is an adversary \u2014 a \u201cwho,\u201d not a \u201cwhat.\u201d For this reason, the smart vendors \u2014 like Mandiant \u2014 will use the prospect of industrial espionage as an entr\u00e9e for consulting services. Consulting does not scale the way products do, and in this case, that is exactly the point. Business-specific defenses against industrial adversaries should be customized. These aren\u2019t products.Bottom line: Enterprise CISOs worried about "APT" should use the Google incident as justification for examining their counter-espionage strategies. Do not waste time wondering \u201cdo my endpoint security products have anti-APT features?\u201d\u00a0Ignore the term \u201cAPT.\u201d\u00a0It is better to be precise: think instead about industrial spies, saboteurs, thieves, unscrupulous competitors and nation-states \u2014 what they want, and about whether these actors will seek to achieve their goals by targeting your intellectual property.I thank Richard Bejtlich for\u00a0setting me straight\u00a0on this discussion. My security metrics colleague and sometime competitor Rich Mogull also has great perspective on this issue.