Friday, May 14, 2010

A dose of clarity for the "APT"

Finally a dose of clarity for the "APT". It is an overused word, one used to sell security products, even if these are the 'same' security products you have been using for the past 10 years. In his recent Spotlight report, Josh Corman of The 451 Group really laid out the term, where it came from, what it means, and more importantly WHAT IT DOES NOT mean. I posted a similar blog on the topic a while ago and got comments like “it’s the person, not the malware”. I know that. I’ve been saying that for years, but how the term APT is used today by most people make it sound like it's ONLY malware. In fact, it’s not only malware - it’s the actors and their intent. Josh gets this -- more importantly he felt the need to speak up about it. I agree, it’s about the ADVERSARY. Malware is just a tool, one of MANY that these adversaries use. Focusing on one aspect of security is not going to make you secure; rather, it’s understanding what they are trying to get. I would argue a 'slightly' different take in that I don’t necessarily believe it’s only scarce resources these adversaries are after. They want actually anything that gets them 'closer' to the info they are seeking. This could be money, IP, marketing plans, hiring plans, IT resources, or personally identifying information. Because while APT were at one time ONLY focused on military, they’ve expanded.

I also applaud Josh’s note that APT uses existing tools. Other experts seems to think this is not the case, or that they don’t use packed malware, or that APT don't use botnets. Why wouldn’t they? It seems the more that someone tells me what APT isn't, the more it becomes clear they have no idea what APT really is. If APT use existing malware, which I’ve always maintained, then packing is par for the course, because it's a cheap way to defeat signature based detection definitions at the gateway and host alike. Perhaps the APT did some recon into the network and learned that using XYZ packer would defeat the AV solution at the desktop. The US government created the term APT to characterize a class of threats originating from Chinese and Russian state sponsored and criminal elements, not to classify a type of malware.

Since the government coined the term "APT" it has always been about Russian and Chinese attackers, BOTH criminal and state sponsored. For the government, it's very difficult to draw a line between the two. If you understand information operations, then you know that APT will use any and all means at their disposal to achieve the mission objective. If this means use of packers, so be it. The same applies to _any_ rule or definition someone puts in my face telling me what APT is and is not. An IO campaign will include a full spectrum of capabilities. In the context of cyber, each attack on a government facility, contractor, or commercial entity could be a single operation that is part of a larger campaign. Operations could be designed to assume false personas such as impersonating college students in a dorm room, or even a false-flag - impersonating the intelligence service of another foreign country. If you truly know what APT is about, you know that you can't start boxing it up and packaging it.

As Josh pointed out, the adversaries are constantly evolving and adapting. The old models are being defeated. The government has known about APT for a while and that new approaches to enterprise security had to emerge. This is one of the reasons that the USAF and DHS both funded HBGary to address this evolving threat. Our company and our technology are pushing the envelope forward.