What Is APT and What Does It Want?
This has been the week to discuss the advanced persistent threat, although some people are already telling me Google v China with respect to APT is "silly," or that the attack vectors were what everyone has been talking about for years, and were somewhat sloppily orchestrated at that. I think many of these critics are missing the point. As is often the case with sensitive issues, 1) those who know often can't say and 2) those who say often don't know. There are some exceptions worth noting!
One company that occupies a unique position with respect to this problem is Mandiant. Keep an eye on the APT tag of their M-unition blog. Mandiant's role as a consulting firm to many APT victims helps them talk about what they see without naming any particular victim.
I also recommend following Mike Cloppert's posts. He is a deep thinker with respect to counter-APT operations. Incidentally I agree with Mike that the US Air Force invented the term "advanced persistent threat" around 2006, not Mandiant.
Reviewing my previous blogging, a few old posts stand out. 4 1/2 years ago I wrote Real Threat Reporting, describing the story of Shawn Carpenter as reported by Time magazine. Back then the threat was called "Titan Rain" by Time. (This reflects the use of a so-called "intrusion set" to describe an incident.) Almost a year later Air Force Maj Gen Lord noted "China has downloaded 10 to 20 terabytes of data from the NIPRNet. They're looking for your identity, so they can get into the network as you."
Now we hear of other companies beyond Google involved in this latest incident, including Yahoo, Symantec, Adobe, Northrop Grumman, Dow Chemical, Juniper Networks, and "human rights groups as well as Washington-based think tanks." (Sources 1 and 2.)
Let me put on the flight cap of a formally trained Air Force intelligence officer and try to briefly explain my understanding of APT in a few bullets.
- Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target's posture.
- Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.
- Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term "threat" with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn't degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple "groups" consisting of dedicated "crews" with various missions.
Looking at the target list, we can perceive several potential objectives. Most likely, the APT supports:
- Political objectives that include continuing to suppress its own population in the name of "stability."
- Economic objectives that rely on stealing intellectual property from victims. Such IP can be cloned and sold, studied and underbid in competitive dealings, or fused with local research to produce new products and services more cheaply than the victims.
- Technical objectives that further their ability to accomplish their mission. These include gaining access to source code for further exploit development, or learning how defenses work in order to better evade or disrupt them. Most worringly is the thought that intruders could make changes to improve their position and weaken the victim.
- Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces. The Report on Chinese Government Sponsored Cyber Activities addresses issues like these.
Notice "stealing money" is not listed here. Although threats exist that target cash, those groups are not considered "APT".
Footnote: my Google query for advanced peristent threat that omits a few organization names (including this blog) now yields 169 non-duplicative hits as of this writing, up from 34 in July 2009.
Comments
Why not? They groups looking to steal money fit all the other criteria, why does their financial goal make them an exception?
We'll be releasing our first report on the APT on January 27. It has an executive overview as well as several in-depth case studies of real APT intrusions. If you or others will be at DoD CyberCrime in St. Louis on the 27th, come by the release party. Or send mail to info@mandiant.com to request a copy.
We're featuring a few excerpts from the report on the M-unition blog over the next week or so. mjg-bob says check 'em out.
To the anonymous commenter's question, why aren't the money-stealing gangs considered APT? In our experience, once their theft is executed, they don't establish an occupying force of compromised machines to be used later. Once they steal the money, they tend to take off.
I'm looking forward to that report. I won't be at CyberCrime this year due to work.
Anonymous, Mike is right. Also, APT is a "proper noun," meaning it refers to actual threats (people). They are different from those that steal money.
Really APT is a made up term (like every other term, has to start somewhere) in the information security space, which by itself is fine if there is no existing term and definition which accurately convey what we're dealing with.
But the definition runs into problems, right off the bat: they don't know if this was an "advanced persistent threat". It was an unknown IE vulnerability, identifiable through browser fuzzing, but we can call that advanced. The rest of the attack appears to use known malware variants. They are assuming the attacks are somehow related to the government of China, but don't really know because they're basing that on what was taken/viewed and IP address, and thus the Persistent part is indeterminate.
So attribution to APT is a problem. From there defining attack characteristics to what could or could not be APT is building a study on a shaky foundation. Besides, the tactics of "the APT" are going to be the tactics of any cracker (albeit the more 'Advanced' attacks by definition).
I really don't get the whole APT discussion, unless its just that we either need something new to talk about or we don't have a good word for targeted advanced attacks.
It's all just malware. The intents and goals matter more than the label. Is At Forrester, the only coverage we will be providing of "APT" is to advise customers to ignore the term.
Remember your IO planners course? Theft isn't one of the pillars as I recall. Think deny, deceive, degrade, destroy, influence, etc.. how many of those fall into the definition of APT?
My concern about pushing the "APT" noun is that it easily becomes "checkboxed" ("do you have anti-APT features in your AV?") and as such distracts customers from the specific threats that may exist to their businesses.
We should be applying better, more precise terms to the actors and their motives, not their tools unless it describes some property of the tool itself. In that respect, "rootkit" is a useful malware sub-category.
So, our advice will be to think not about "APT" but about industrial spies, saboteurs, thieves, unscrupulous competitors and nation-states -- how these actors seek to achieve their goals. This perspective strengthens the case for NSM. By contrast, calling yet another subtype of malware "APT" medicalizes the condition and makes it treatable by charlatans hawking miracle tonics.
That is what I meant by my previous comment, in case it wasn't clear. The term APT is irrelevant. The risks are real.
I don't think I was completely clear in what I was questioning based on your answer about malware and APT being a proper noun. If you look at Mandiant's most recent blog post, they give what are essentially malware characteristics of "APT" attacks. But these seem to be characteristics common in any cyberattack.
So I guess I find myself agreeing with the assertion that there is nothing in the malware itself that requires a new 'APT' definition.
Your point seems to be that APT is all about the adversary and what they're after, characteristics inherent in these two things make something APT.
I guess I'm waiting for someone to compellingly make the case that we need a new word, and that this isn't just a new marketing term. I thought that originally, however reading your coverage I am reconsidering that initial impression. And are we backing into this, someone came up with the term 'APT' and now we're attaching some intelligent meaning to it.
We also agree that what matters in this discussion is actors, intents and goals. However I still think APT is a poor label, for two reasons:
* Featuritis. Well-meaning but thick-skulled people like me are going to conflate the threat with the malware (as I just did), and this will lead to vendor silliness as discussed.
* Lack of precision. The term APT denotes a lot of different actors and intents, and the only common thread is that the actors aren't opportunists.
If I understand what you mean correctly, then, APT is a threat aimed at "targets of choice" versus the "targets of chance" that a garden-variety malware author might create a dragnet to go after. But I'd rather see more precise terms like "industrial theft," "sabotage" etc rather than the general-purpose acronym APT. Even something like "adversarial threat" (which denotes a bona fide enemy) would be an improvement.
Yes, I am probably splitting hairs at this point.
I first heard APT around three years ago, but since its getting attention now, its worth talking about now. (also why I assume your blogging about it)
Regarding people who use the term APT, the place its being used most recently is marketing materials, and the company you cited earlier most definitely cares what security executives (some who have never heard the term before) think. Plus if I understand your points in this and the more recent post, most senior security executives are up against what are being termed Advanced Persistent Threats.
The fight club defense (you wouldn't question APT if you knew about APT) is rarely a valid logical defense for anything.
Advanced:
- APT = criminal. Nothing distinct in this definition that differentiates the two.
Persistent:
- Formally tasked? Prove it. Criminals are often formally tasked too.
- Not opportunistic? Why? Why rule out a potentially effective way of coming up with new intel or desired targets? Does a phisher who presents only a single bank’s login page qualify as being “not opportunistic”? What if he targets a list of known customers of that bank?
- APT = criminal. Nothing distinct in this definition that differentiates the two.
Threat:
- It’s been a long time since we’ve had a piece of mindless code roaming around, so I don’t see how this point can be crucial. A botherder who instructs his minions what spam to send and when based on his customers isn’t using a piece of mindless code.
- “…organized and funded and motivated” seems to be the “crucial” part. Again, APT = criminal, there is nothing in those terms that distinguish the APT from criminal (unless you want to quantify “funded”).
Why aren’t we simply stating; “APT is attacks done by governments. They are difficult to detect, prevent, or prove.” Why all this other junk?
With respect to "those who talk, don't know. those who know, don't talk" where do you fall? Since you're talking about it, should we assume you don't know what you're talking about?
Seriously, though, saying you're a US Air Force trained security analyst is like saying you have a PhD from a degree mill. You're a smart guy and you're good with tools - let your laurels rest on your accomplishments; ultimately that's all that matters.
At Tenable we're going to be doing some talking about "APT" because everyone else is. But it's just marketing bullshizzle because, apparently, "espionage" isn't sexy enough. You know "espionage" right? That's the problem that all our government agencies have been cheerfully ignoring while rushing to connect everything that holds data to internet-connected networks? It's really pathetic that we need a new term for a problem, in order to market it, and get some attention.
But don't fall for the "maybe if we hype it they'll finally pay attention" trope. It's been tried over and over again - all that happens is that money is spent (misspent, really) This whole "China cyberwar" "APT" kerfuffle has all the hallmarks of a budget-inflation maneuver or a power-grab in which FBI is trying to expand its charter vis a vis DHS. There is nothing new here; do you really think the Chinese have only just started spying on us? They're not as stupid as all the internet security practitioners who are hopping up and down about it.