Thursday, February 4, 2010

Understanding the APT.

When guest lecturing at colleges and giving talks on the topic at conferences, I have for some time been describing much of what goes on on the internet today as an extension, or modernization of the clandestine intelligence gathering efforts which have been taking place since people have acknowledged the value of enemy-centric intelligence. While many may accuse me of trivializing the issue, if you consider the intent of the adversary responsible, that's what it really amounts to. This is not to understate the newness of the electronic ('cyber') attack and surveillance technologies which have emerged in recent years; but to more clearly categorize them as a new, and often more efficient means to a common end.

This brings us on to the somewhat-newly defined concept of the 'APT' (Advanced, Persistent, Threat); a term coined by (as far as I am aware) Mandiant - a DC based security firm. Firstly, in all its marketingyness and misconceptions that it has lead to, I think the idea is great - it has drawn some much needed attention toward the problems which many large government, and private organizations are faced with on a daily basis.

Sticking to the theme of what we are trying to describe being a new means to a similar end - it is clear that we are in serious need of new technologies, and new processes for handling the technological aspects of the modern APT; whether those be for purposes of detection, remediation or attribution. To this end, I think firms like Mandiant and Dabala are doing a stand up job of addressing emerging needs and may the best team win.

All of this said, the APT is clearly nothing new and understanding this requires a little lateral thinking. If we think about the APT in more literal terms, it does not differ from the advanced nature of many other modern intelligence related methodologies - many of which may be used in a persistent manner. From telephone trap and trace to satellite imaging and the presence of undercover operatives behind enemy lines, the APT is clearly something which has been around for quite some time; even if it may have only been recently defined in these terms by the mass media and information security community.

So what you might ask. Well this is an issue of perception. A perception that the APT is something new, and that when we discuss the APT, we refer to a specific means to an age old ends. So when we think about the APT in the future, let's do ourselves a favor by not using it synonymously with a specific technology (whether that be a key logger, new flash 0day, or a USB fob virus), and promote a true understanding for the threat that we are really trying to describe, and the technologies that we are promoting to counter it.