Or: why “advanced persistent threat” is the wrong phrase

Google's revelation that it was hacked by (likely) Chinese actors has helped propel another round of stories, blog posts, and analyses about What It Means. I have participated in some of these discussions, and my colleague Chenxi Wang has written several illuminating posts about the nature of the attacks.

The specific means of compromise, a zero-day Internet Explorer exploit, has raised awareness of a phenomenon referred to as the “Advanced Persistent Threat,” concisely described by Lockheed Martin’s Mike Cloppert as “any sophisticated adversary engaged in information warfare in support of long-term strategic goals.” In his posts, Mike also nearly always uses APT in conjunction with the word “actor” (as in: APT actor) because he means a particular adversary. Mike's definitions are important because they help clarify what APT is, and what it is not. Expanding on his definition a bit, here is what I believe APT is:

  • A sophisticated adversary engaged in electronic espionage to support long-term strategic goals (more or less what Mike said, minus the red-herring word “warfare”)
  • A politically correct euphemism for Chinese and other state-sponsored actors who steal company secrets
  • A permanent campaign focused on the theft of intellectual property

What it is not:

  • A specific attack 
  • A specific attack method that can be detected by a product
  • A type of threat that affects everyone. Mandiant argues that "[APT] isn’t just a government problem; it isn’t just a defense contractor problem; and it isn’t just a military problem. The APT is everyone’s problem”

I think that Mandiant's post is a little confused and sensationalistic, which is surprising because they are some of the smartest, sharpest people I know. Saying “it can happen to anyone” is sort of like saying that anyone can be mugged. That is true, but you are more likely to be mugged if you live in crime-ridden area, and have a habit of walking around alone at night while drunk and waving around a lot of money. That does not mean that everyone needs to buy flak jackets, hire bodyguards, and contract Kroll (or Mandiant, in this case) to assess their security programs. But it does mean those that face more risk because of their available assets and competitive environment need to be aware that there is at least one big adversary who might fleece them blind if they decide to. In those cases, you do need advice, and a strategy.
The “APT”  is about theft. It is not about “warfare,” not about “malware” (advanced or not), and certainly not about run-of-the mill “threats” that your favorite anti-malware company can help you with. It is about specific threats from your determined adversaries, who use methods appropriate to their objectives — of which malware is one. The P (“persistent”) is the only part of the “APT” acronym that I agree with.

If you fall into the category of companies that might be targeted by a determined adversary, you probably need a counter-espionage strategy — assuming you didn’t have one already. By contrast, thinking just about "APT" in the abstract medicalizes the condition and makes it treatable by charlatans hawking miracle tonics. Customers don’t need that, because it cheapens the threat.

What does this mean for security vendors? Security vendors who are smart will not think about "APT" as a product feature. It is an adversary — a “who,” not a “what.” For this reason, the smart vendors — like Mandiant — will use the prospect of industrial espionage as an entrée for consulting services. Consulting does not scale the way products do, and in this case, that is exactly the point. Business-specific defenses against industrial adversaries should be customized. These aren’t products.

Bottom line: Enterprise CISOs worried about "APT" should use the Google incident as justification for examining their counter-espionage strategies. Do not waste time wondering “do my endpoint security products have anti-APT features?” Ignore the term “APT.” It is better to be precise: think instead about industrial spies, saboteurs, thieves, unscrupulous competitors and nation-states — what they want, and about whether these actors will seek to achieve their goals by targeting your intellectual property.

I thank Richard Bejtlich for setting me straight on this discussion. My security metrics colleague and sometime competitor Rich Mogull also has great perspective on this issue.