Information Security News
In May 2015, I wrote a dairy describing a SOC analyst pyramid. It describes the various types of activity SOC analysts encounter in their daily work . In the comments, someone stated I shouldve included the term advanced persistent threat (APT) in the pyramid. But APT is supposed to describe an adversary, not the activity.
As far as Im concerned, the media and security vendors have turned APT into a marketing buzzword. I do not like the term APT at all.
With that in mind, this diary looks at the origin of the term APT. It also presents a case for and and a case against using the term.
Origin of APT
In 2006 members of the United States Air Force (USAF) came up with APT as an unclassified term to refer to certain threat actors in public .
Background on the term can be found in the July/August 2010 issue of Information Security magazine. It has a feature article titled, What APT is (And What it Isnt) written by Richard Bejtlich." />
Shown above: An image showing the table of contents entry for Bejtlichs article.
According to Bejtlich, If the USAF wanted to talk about a certain intrusion set with uncleared personnel, they could not use the classified threat actor name. Therefore, the USAF developed the term APT as an unclassified moniker (page 21). Based on later reports about cyber espionage, I believe APT was originally used for state-sponsored threat actors like those in China .
A case for using APT
Bejtlichs article has specific guidelines on what constitutes an APT. He also discussed it on his blog . Some key points follow:
If you follow these guidelines, using APT to describe a particular adversary is well-justified.
Mandiants report about a Chinese state-sponsored group called APT1 is a good example . In my opinion, FireEye and Mandiant have done a decent job of using APT in their reporting.
A case against APT
The terms advanced and persistent and even threat are subjective. This is especially true for leadership waiting on the results of an investigation.
Usually, when Ive talked with people about APT, theyre often referring to a targeted attack. Some people I know have also used APT to describe an actor behind a successful attack, but it wasnt something I considered targeted. We always think our organization is special, so if were compromised, it must be an APT! If your IT infrastructure has any sort of vulnerability (because people are trained to balance risk and profit), youre as likely be compromised by a common cyber criminal as you are by an APT.
Bejtlich states that after Googles Operation Aurora breach in 2010, wide-spread attention was brought to APT. At that point, many vendors saw APT as a marketing angle to rejuvenate a slump in security spending ." />
Shown above: An example of media reporting on APT.
A good example of bad reporting is the Santa-APT blog post from CloudSek in December 2015. however, other sources have reported the info  and a cached version is available
Shown above: Screenshots of the alleged Santa APT app.
The blog post reported a malicious Santa-themed Android app hosted on the Google Play Store. CloudSek stated the app was the work of an APT group that it called Santa-APT. The post was very short on details, and many I knew in the community were skeptical of CloudSeks claim. The companys tweet even had a comment disputing the articles claims . I certainly didnt see anything that indicated the malware was created by an advanced adversary with specific goals against distinct targets.
As far as Im concerned, APT is still a vague term thats now a buzzword. People generally use it according to their own biases. Remember that APT is supposed to describe an adversary and not the attack.
I recently attended the FOR578 Cyber Threat Intelligence class at SANSFIRE 2016. For me, one of the big points from FOR578 is that attribution is tricky. You can review all the data about an attack on your network and still not be certain who is behind it. Peoples biases get in the way, especially when the biggest question is who did this?
But identifying the people behind an attack is often futile. Find patterns in the available data and try to categorize it, yes. You might recognized a repeat attacker, and youll be better prepared to respond. However, you may never truly know who is behind any given set of attacks. I feel we should be focusing on what vulnerabilities allowed the attack to happen in the first place.
brad [at] malware-traffic-analysis.net
IBM hires ex-AFP cyber top cop to run Aussie infosec centre
IBM has more than 12 security operations centres globally to handle the infosec operations for 3700 clients, the company said. “To overcome the growing volume and sophistication of cyber attacks, and the global shortage of skilled security ...
Micro-segmentation key to new approach to infosec, says Unisys
Micro-segmentation could provide a key component of a new approach to information security, according to IT services firm Unisys. Traditional security is failing because it is based on the castle and moat model of perimeter defence, which is no longer ...
WA government still hopeless at infosec
Western Australia's Auditor General has panned the state's consistently-awful IT security, delivering its report from a site that Chrome warns isn't doing HTTPS right. The agency has been telling the state government it's security is subpar for years ...
One-third of US, UK companies don't use an infosec pro
A separate poll conducted by Spiceworks in May confirmed these findings. In that study, 67 percent of IT professionals said they possess no information security certifications. Among companies that do not have an in-house security pro, most ...
Passwords To Be Phased Out By 2025, Say InfoSec Pros
Passwords To Be Phased Out By 2025, Say InfoSec Pros. Behavioral biometrics technology and two-factor authentication are on the rise as safer alternatives, according to a study. A study of 600 security professionals by mobile ID provider TeleSign has ...
Hopeless Vic agencies have two years to hit infosec best practice
Government agencies in the Australian state of Victoria will have two years to move from near ground zero to stand up fully-fledged and updated information security, risk, and governance policies. The requirements are a big ask for agencies in the ...
Vic govt gets new cyber security rules
WA auditor could name and shame worst infosec offenders
The office's eighth annual infosec audit was also the first to map sector-wide progress on key metrics year-on-year over the term, revealing that WA has not improved at all in terms of business continuity and basic information security since the first ...
Then, an HTTP redirect is performed to a second page: phone.html which mimics a Google authentication page and asks for the user phone number. Here again, POST data are processed via phone.php which sends a second email with the victims phone number. Emails are sent to two addresses (not disclosed here):
To conclude on a funny finding: there is a specificPHP script imp.php" />
From a technical point of view, it isa low-level attack but Im pretty sure it still works. Take care!
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant