How would you Classify an APT?
Updated: May 23
GovWare 2011 – Enterprise Security Track
I had the privilege to be in one of the sessions conducted by SecureAge in the Enterprise Security track today. What aroused my interest was actually their definition of Advanced Persistent Threat (APT). I was introduced to this term only about 2 years ago and have never really used the term “APT” because I don’t really know what it was.
Before you doubt my grasp on info-security, here is why I would think twice before labelling something as an APT. My understanding of APT was somewhere along this line of Wikipedia’s definition: “Advanced persistent threat (APT) usually refers to a group, such as a foreign nation-state government, with both the capability and the intent to persistently and effectively target a specific entity.”
And in my mind, I would assume that the targets are high-value targets being servers containing valuable or providing essential services. Hardly the case of endpoint computers.
Now, SecureAge has a product “SecureData” that sits at the endpoint as security software that is specifically designed to fight APT. The example given was an exploit with a rootkit as a payload.
Now, would you consider an exploit with a rootkit as a payload an APT? Somehow I felt something was inaccurate about the example given. I quickly referred back to Wikipedia and deliberately read the definition once more.
Wikipedia further states: “The term is commonly used to refer to cyber threats, in particular, that of Internet-enabled espionage, but applies equally to other threats such as that of traditional espionage or attack. Other recognised attack vectors include infected media, supply chain compromise, and social engineering. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.”
I gave some thought and concluded that APT could be defined and accepted as an attack (in any form) by organised cybercriminals. However, one could easily jump into the conclusion that the infected email attachment I got yesterday was an APT. Because, really, it is hard to know for sure if it is the endeavour of an organised group who has been eyeing my organisation’s data for a long time.
Can you really know for sure?
How would you classify an APT?
Shared by Andre Ng, First Mate of Div0.