Don't Say APT

This may be the only time you'll ever see me talking about the term Advanced Persistent Threat (APT.) There are times when some words get thrown around in so many ways that Webster would have to list more than a dozen definitions under the term. The etymology of APT is in that stage of flux currently.

Defining Terms

When I'm asked to discuss APT I'm prompted to ask questions to better understand what the audience thinks APT means. I tend to define the following words to see what they are wanting to discuss.

Sophisticated Attackers

Most of the time when someone says APT, they really are describing an attacker that has a high skill level associated with breaching computer/network systems. They are thinking about elite hackers that are doing things that fly under the RADAR and aren't relying on open source tools like Metasploit or Low Orbit Canon. These attackers may utilize subtle social engineering and zero day exploits to break into systems.

Targeted Attacks

Targeted attacks is another classification that falls into "APT" territory. This has less to do with the actor and more to do with the methodology. An attacker that decides to go after a specific organization is harder to detect than an attacker of opportunity that blasts multiple target with exploit attempts. Often targeted attacks are carried out by sophisticated attackers and we can accurately describe that collectively as "sophisticated, targeted attack(er)s." It's a much more precise term than APT and most times, a more accurate term.

State Sponsored Attackers

In the earliest use of APT, the focus was on a specific group of "sophisticated, targeted attacks" coming from state sponsored entities largely in Asia Pacific. In many circles, this is still what APT means. I just call them "state sponsored attackers." In general, these actors will be 1) well funded 2) sophisticated 3) targeted and 4) persistent/patient. "State sponsored attackers" talk about resources and motivations. In the same category (but of lesser threat) would be hactivists, organized crime and "hacker hobbyists." Another thing to note is the pioneers of APT investigation considered these specific actors to pose an extreme threat to national security and safety. Classically, the "Threat" of APT meant people dying or governments being overthrown not loss of enterprise trade secrets or revenue.

Tom Cross of Lancope discusses the debates and history surrounding the term APT in his blog entry from February 2013.

Emerging Threats

This is the biggest stretch of the term but I've recently seen vendors lumping detection of emerging threats into APT. Security products that monitor behavior across a base of global clients and aggregate it to detect zero day threats fall into this category. This is normally a stretch of "sophisticated attack" in that zero-day exploits are being used. Zero day detection is a real problem (see: Day Zero Is How Long??!) but is not in itself an indicator of "APT activity." It could easily be a widely distributed attack by low-skill organized crime operators that happened upon a zero day exploit.

Wrap Up

The way words are used creates their definitions. It's not the SME or visionaries that define terms it's the mouths that speak them. In recent months marketing mouths have been using the term APT to sell whatever is in their portfolios and have left the term nebulous at best and shibboleth at worst. When communicating ideas, defining terms are of paramount importance. APT is a loaded term with different meanings to different audiences and it's best to avoid using the term unless you're certain what the audience believes the term means. Specific terms like "sophisticated, targeted attacks" or "state sponsored attackers" allow for more concise conversations and avoid unnecessary debate and confusion.