Defining the “Advanced Persistent Threat”
by John Pescatore | November 11, 2010 | 16 Comments
Advanced threat – any attack that gets past your existing defenses.
Persistent threat – any successful attack that goes undetected and continues to cause damage.
Advanced persistent threat – any attack that gets past your existing defenses, goes undetected and continues to cause damage.
The Morris worm in 1989 was an advanced threat, but then firewalls were put in place to stop that kind of thing. Code Red and Nimda were advanced threats in 2001 but then Intrusion Prevention Systems were put in place to deal with that.
Since those threats were mostly denial of service attacks, they weren’t persistent – they were noisy and noticed quickly.
Spyware of the early to mid 2000’s was advanced (it got through) and persistent (it wasn’t detected and continued to operate) until anti-spyware defenses came about.
So, advanced persistent threats really aren’t anything new, just the term is new and caused hype. What really changed is that financially motivated attackers started launching targeted attacks which evaded existing security controls, both in detection/prevention and removal. So, now new techniques are being developed on the security side to detect and prevent these attacks.
To use an old security analogy, it is just like chess. The white pieces always get to launch an “advanced” attack, since they go first. That advanced attack persists until the black pieces get to move. The white pieces don’t always win in chess.
Additional Resources
Read Complimentary Relevant Research
Four Ways for CIOs to Cultivate Digital Dexterity in Leadership and the Workforce
To thrive in the digital era, enterprises need digital dexterity as an organizationwide competency. CIOs can boost their value by developing...
View Relevant Webinars
...
Category:
John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry
Thoughts on Defining the “Advanced Persistent Threat”
Leave a Reply
TRENDING TOPICS
Who's Blogging
- Marc Brown
- Debbie Wilson
- Pete Basiliere
- Arthur Villa
- Werner Goertz
- Anton Chuvakin
- Laurel Erickson
- Hank Barnes
- Rene Buest
- John Wheeler
- Bryan Yeager
- Augie Ray
- Christopher Little
- Manjunath Bhat
- Augusto Barros
- Avivah Litan
- Cindi Howson
- Frank Buytendijk
- Deacon Wan
- James Meyers
- Erik Heidt
- John Kostoulas
- Homan Farahmand
- Anna Maria
- Robert Hetu
- Andrew White
- Tom Murphy
- Michele Buckley
- Nick Heudecker
- Charles Golvin
- Craig Roth
- Simon Walker
- Marco Meinardi
- Jay Wilson
- Christy Ferguson
- Martina Kurth
- Jeff Chamberlain
- Annette Zimmermann
- Mike Mcguire
- Elias Khnaser
- Benjamin Bloom
- Peter Krensky
- Andrew Lerner
- David Cappuccio
- Ted Chamberlin
- Sanjit Ganguli
- Stephen White
- Lizzy Foo
- Rick Franzosa
- Tad Travis
About
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.
My four-year old just gave a better description of APT for her pre-K class. This “article” is why I filter her Internet access.
ReCapcha: reparted juddook
Typical industry rag.. what is this, January 2010?
Second, you have demonstrated nothing more than the ability to redefine something and then post a blog entry. Well played, sir.
I see there are fans of more expensive definitions of advanced, persistent threats out there.
One difference in the latest threats is their level of targeting. If an assailant has determined they want *your* information they will stop at nothing to get it. They could devise a brand spanking new zero-day and a root kit never used before. They could use any sort of “social engineering” including attacking your friends on FaceBook or taking embarrassing pictures of your CEO at a strip club.
Spyware was new once, worms were new once. It is recognizing the new threats and deploying technology to counter them *before* your organization ends up as front page news that is important.
Your cheapened definition of APT was created because security snake oil salesmen and marketing shills devalued the true meaning in an effort to scare the unwashed masses into buying more widgets.
You know, the same people who sounded the death knell for IDS in order to sell more IPS.
To paraphrase Mr. Bejtlich, APT is a who. Not a what, where, when, or how.
Ah, APT is a “who” and therefore the solution to stopping advanced, persistent threats will be a “who” solution – ie, focus on who launched the threat, vs. eliminating the vulnerabilities that enabled the threat to succeed.
Big mistake to take that approach if the goal is to keep the mission running, since who launched the threat in the cyber world is much, much less important than eliminating how the threat could succeed. If the goal is to sell time and materials contracts to study the problem, a great approach.
There are a number of things wrong with this post, but I’ll begin with the most obvious. You define Advanced as getting past your defenses, then you define persistent by first stating that it must be a successful attack. Wouldn’t a successful attack, by definition, have gotten past your defenses and thus be also advanced?
Logic errors aside, the article is flawed because in your attempt to define APT you have established yourself clearly as a person who does not know what it actually means. This would have been forgivable a year or so ago but now even modest googling should reveal the true nature of the term (hint hint, its an unclassified and politically gentle way to describe a specific group of people and is not a generic definition or classification for arbitrary attackers).
I should thank you for the good laugh you have given my friends and I after reading this, cheers!
There are many persistent threats that are not advanced attacks – many that have hit military systems and gone undetected for quite some time very simple attacks that happened to succeed because of operational shortcomings or dependence on policy vs. actual security controls.
I believe your hint, hinting is pointing back to “who” launched the attacks, with a belief that a certain set of state sponsored attackers has created an entirely new set of threats that Rand corporation a while back labeled “advanced persistent threats.”
As I said above, this belief is great for selling long term contracts to study the source of threats and gather intelligence and situational awareness at rates that include overhead to feed internal research and development efforts. But the real key to increasing security is eliminating the very, very common vulnerabilities that the Stuxnets and Auroras and other sophisticated attacks exploit, vs. focusing on who launched them.
I don’t support the “who” argument. “Who” could include an adversarial(China) or even friendly government (Israel) as well as an individual cyber criminal, or an industrial competitor. APT could (should?) be defined by its aims: to steal specific information. It could be Google source code and email access or resource data at Rio Tinto, or a database of credit cards. The aim is to get the data or do the damage. The methods use everything that has gone before as well as newly crafted attacks. They can spill over into the physical world of blackmail, honey traps, bribery, and physical threats.
If there is anyone out there that translates “APT” into Chinese cyber espionage they better just call it Chinese cyber espionage or we are going to have a lot of useless debates on terminology.
@stiennon That is the definition of APT and the only reason there is a debate about it is because people who overheard conversations or read briefings they didn’t understand began to speculate about what it must mean. The the obvious way to do this is to pick apart the words themselves and create some generic definition to which the term would be appropriate (such as this article).
To the people who originally coined this term and who deal with this problem on a daily basis though, there is no debate. If you are one of the people still debating this, then I have to question your expertise on the subject.
So I’m sorry that the actual definition of APT doesn’t live up to your speculative high hopes for the term. This does give you a chance to invent your own terminology to describe the generic class of attackers you have previously categorized as APT though. Come up with a great term and I’ll be the first to use it! You can’t use this one though, its taken.
John,
Sorry.
You’ve got it wrong.
Everyone in the know, KNOWS what APT is, hence the who. The term was coined by AF COMPSEC personnel to reference in a very specific attack using an unclassified name.
You really should get out more.
A Concerned Citizen has it right.
Very right.
Ah, back to the who. As I’ve said several times before, always a mistake in cybersecurity to think the who is more important than the how – unless the real goal is to get paid to study the problem vs. prevent the problem from happening again.
I’m pretty sure the “who” shouldn’t just refer to the attacker. Symptomatic of APT, as I read it, is a “who” that got specifically targeted. The “who” defense lies not in attempting to build a whole new set of security walls, but rather in clarifying policies and procedures regarding information security such that the “who” that got targeted by a certain set of “who”s that wanted information doesn’t end up being the conduit.
Try taking it apart this way:
“advanced” = sophisticated (technically adept), well-planned (targeted “mark” at company/division/etc.)
“persistent” = continuous access (one possibility), or continuous attempts (another possibility) or, most likely, both.
Thus, APT becomes a combined question of:
Who – got targeted by Whom (we may or may not care about pursuing)
What – they got a hold of (both resources and traction)
Where – do we need to look for their fingerprints on the systems
When – did they do it (how far back to look)
Why – what value did they gain/are they continuing to gain
How – do they plan to gain said value/try to do this again
You can’t leave out the “who”. Either one. So, yes, you need to invest a bit of resources in a review of the problem from a “who” stand-point if you actually want to prevent it from happening again.
I think the who is the least important part, by far. The vulnerability that enabled the attack (the how) is by far the most important – eliminate the vulnerability, the attack doesn’t succeed, no matter who launches it.
This is the big difference between physical attacks and cyber attacks. Government funding is needed to build tanks and nuclear weapons. It is not needed for the strongest of cyber attacks. Businesses can not protect themselves against tanks and nuclear weapons by eliminating (or mitigating) vulnerabilities, they can do so against cyber attacks.
Most of the focus on the “who” tends to be to drive studying of the threat vs. fixing the problems that enable the threat.
[…] Without Wings | Men with Pens Saudi Arabia: Anticipations of an ESL Teacher « American Bedu Defining the “Advanced Persistent Threat” Interview With The Guy Who Embraced The ‘Pirates’ Of 4chan | PHP Hosts 11/30: Choose […]