FireStarter: It’s Time to Talk about APT

By Rich

There’s a lot of hype in the press (and vendor pitches) about APT – the Advanced Persistent Threat. Very little of it is informed, and many parties within the security industry are quickly trying to co-opt the term in order to advance various personal and corporate agendas. In the process they’ve bent, manipulated and largely tarnished what had been a specific description of a class of attacker. I’ve generally tried to limit how much I talk about it – mostly restricting myself to the occasional Summary/Incite comment, or this post when APT first hit the hype stage, and a short post with some high level controls.

I self-censor because I recognize that the information I have on APT all comes either second-hand, or from sources who are severely restricted in what they can share with me.

Why? Because I don’t have a security clearance.

There are groups, primarily within the government and its contractors, with extensive knowledge of APT methods and activities. A lot of it is within the DoD, but also with some law enforcement agencies. These guys seem to know exactly what’s going on, including many of the businesses within private industry being attacked, the technical exploit details, what information is being stolen, and how it’s exfiltrated from organizations.

All of which seems to be classified.

I’ve had two calls over the last couple weeks that illustrate this. In the first, a large organization was asking me for advice on some data protection technologies. Within about 2 minutes I said, “if you are responding to APT we need to move the conversation in X direction”. Which is exactly where we went, and without going into details they were essentially told they’d been compromised and received a list, from “law enforcement”, of what they needed to protect.

The second conversation was with someone involved in APT analysis informing me of a new technique that technically wasn’t classified… yet. Needless to say the information wasn’t being shared outside of the classified community (e.g., not even with the product vendors involved) and even the bit shared with me was extremely generic.

So we have a situation where many of the targets of these attacks (private enterprises) are not provided detailed information by those with the most knowledge of the attack actors, techniques, and incidents. This is an untenable situation – further, the fundamental failure to share information increases the risk to every organization without sufficient clearances to work directly with classified material. I’ve been told that in some cases some larger organizations do get a little information pertinent to them, but the majority of activity is still classified and therefore not accessible to the organizations that need it.

While it’s reasonable to keep details of specific attacks against targets quiet, we need much more public discussion of the attack techniques and possible defenses. Where’s all the “public/private” partnership goodwill we always hear about in political speeches and watered-down policy and strategy documents? From what I can tell there are only two well-informed sources saying anything about APT – Mandiant (who investiages and responds to many incidents, and I believe still has clearances), and Richard Bejtlich (who, you will notice, tends to mostly restrict himself to comments on others’ posts, probably due to his own corporate/government restrictions).

This secrecy isn’t good for the industry, and, in the end, it isn’t good for the government. It doesn’t allow the targets (many of you) to make informed risk decisions because you don’t have the full picture of what’s really happening.

I have some ideas on how those in the know can better share information with those who need to know, but for this FireStarter I’d like to get your opinions. Keep in mind that we should try and focus on practical suggestions that account for the nuances of the defense/intelligence culture being realistic about their restrictions. As much as I’d like the feds to go all New School and make breach details and APT techniques public, I suspect something more moderate – perhaps about generic attack methods and potential defenses – is more viable.

But make no mistake – as much hype as there is around APT, there are real attacks occurring daily, against targets I’ve been told “would surprise you”.

And as much as I wish I knew more, the truth is that those of you working for potential targets need the information, not just some blowhard analysts.

UPDATE Richard Bejtlich also highly recommends Mike Cloppert as a good source on this topic.

No Related Posts

Excellent comments above. I agree with most here and just wanted to relate an interesting experience and three points about APT.

Some government officials met with me after my talk on security breaches at RSA 2010 in San Francisco. They laughed at me and said the word/acronym APT is hyped too much and misunderstood. They also gave me the “we know far more than anyone else about what is really going” story. I held back from being a smart-ass about all this posturing nonsense and instead asked for details.

First, I say worry less about use of language and words like APT. Clarity and understanding has a place/time—like a meeting where action is required. Public discussion is not that time. Absolute accuracy in language/definition during general conversation is really a straw-man argument—attack of a phrase or word instead of substance being put forward. We also could get upset about misuse of the word too versus to, the word hacker, the phrase critical infrastructure, etc. but open communication is never really clean. If you say car, you could mean just about anything, yet no one gets upset about car. Words get “bent, manipulated and largely tarnished” yet language works amazingly well. Cool, no? Or should I say that it’s hot? Move along please. If you struggle with APT you will really have a hard time with cloud.

Second, I agree completely that sharing APT info is better but I have seen two reasons used for controlled disclosure instead of openness.

A) Power and politics unfortunately sneak into this. The relatively immature and open field of play in Washington gives an incentive for sparse and sometimes unverifiable disclosures. Releasing information in a limited fashion can create a dramatic influence over the hill. Was it coincidence for example that during the debate regarding control and leadership for cybercommand the WSJ released a story that spies have infiltrated the US energy sector? A totally open discussion would not have had the same effect—reporters might have come to a different conclusion. Civilian leadership will lose control if the military and intelligence communities do not have more open discussion with them. Classic political science.

B) There is some chance that disclosure during an ongoing investigation could compromise its success. Only after the investigation is over should be made open to study. The questions are who gets to decide when a case is closed and how much should they share to whom? The guys I spoke with said they’ve been watching APT for over ten years. We talked about a few case examples and I realized they are stringing everything together—they would say the case is always open. I disagree with them in principle but more importantly I do not have any authority to make them close a case, disclose, and start new ones. I also can not easily parse who they trust and who they fear.

Third, check out the HTCIA. The audience for my presentations at the International Conference were almost all Peace Officers, Investigators and Prosecuting Attorneys. Discussions were less theoretical and more case/fact-based than your usual group. It’s a great place to share information on real attacks with fellow security professionals.

By Davi Ottenheimerr

I think it just comes back around to how we define APT. I fully agree it’s been around forever, but I’ll also say technology enables far more efficient ways of approaching things like infiltrating an organization or exfiltrating information in a targeted approach. So today’s threat is a bit different from 30 years ago.

Still, it’s like “cloud.” The talk of both APT and “cloud” has gotten ahead of actual events/people/incidents, which has unfortunately caused a bastardization of the terms.

At the end of the day, APT (or traditional espionage) can still be about turning a human asset or simply planting an internal employee.

By LonerVamp

APT is over-hyped and being misused by all and sundry. Just because certain folks are in the loop (i.e. have a classification), doesn’t mean the issue is as per the hype. If the entire shebang is classified, the unwashed masses can’t know about it, yet they’re the poor saps having their valuable data stolen.

There are several fundamental issues with APT:

a) espionage is an art practiced by every nation state. Most are good at it, or we’d hear about it more often. Counter espionage is hardly something a marketing type can monetize, so a new term “APT” is dreamt up to scare folks with. Spying relies on…

b) human nature. Anyone who has tail gated through a door or been helped to the right desk knows that folks are only too happy to be seen as helpful. If an organization doesn’t know that they’re a target by inappropriate secrecy, there’s no way to change the default behavior of staff. Thus leading to more attacks and more exfiltration.

c) There’s no new threats here. Just skilled well funded folks (who have ALWAYS existed in nation states, but now more orgs can afford the same skills and capabilities). Calling it APT as an umbrella term doesn’t help anyone defend against it.

d) It’s a logical fallacy to believe the TS folks know more than we do about how to defend against the attacks. Most times, folks in the defence arena battle IT purchasing nightmares, a keen desire never to change what they’ve bought, and a stoic approach to patching and updates. By the time the average widget is approved and bought and hardened to spec, it’s several years out of date. As much as I know some very brainy folks in the military, they are fighting an uphill battle against obsolescence. It’s doubtful they know much more about attacks and defences than any of us working in the open. They just know details of many classified attacks, which is simply unhelpful as it details the past. We can’t learn from it and defend the future by them holding on to the details. The world has moved on from skeleton key locks, but the military mindset sure hasn’t.

Honestly, unless the folks backing APT come up with some concrete defences, there’s no point in listening to their bleating as there’s NOTHING the average target can do before they’re exfiltrated. What a useless paradigm!

Crying wolf with classified fire is just immensely counterproductive. In short - “Show me the video, or it didn’t happen.”

By Andrew van der Stock

Well, we could always just say “China”, since that’s who it is.

By Rich

I clearly overextended the war metaphor in reference to the battlefield.  My point is simply that war analogies fail when we get to data exfiltration.  When we move from the value being in the events referred to by information, to the information itself being the valuable item, we have to approach the problem of protection differently.

And it would be great to have a better term than APT.

By Eric Hanselman

@ds Your last 3 paragraphs I think almost sum up the difference I see between APT and the threats most “normal” organizations/people deal with. Are you going to stop an advanced threat like that? Most likely no. Just like 30 years ago you likely wouldn’t be able to stop a nation-state from attempting to (and possibly succeeding to) turn an asset to their cause.

When security really does deal largely with technical issues, the technologies are not laughably terrible when used properly (not terribly good, either). But APT brings in a whole new level of the maxim, “the attacker only needs one opening.” We can’t possibly be blanketing everything and especially everyone. It also brings another maxim, “the attacker *will* get in,” higher as well.

@Eric: I’m not sure I would say that today’s APT has never been seen before. Perhaps this is where APT needs defined. I see APT as a juxtaposition of three things we already have, in one case for a very long time: 1) People-subverting espionage (today we call this SE), 2) technical attacks, 3) a large pool of resources/people/techniques/time/motive available to the APT, errr, threat.

Another way of saying it: APT has been around a long time, only it has evolved to better incorporate today’s technological hackers, who may or may not be officially announced spies but in fact may just be highly-motivated kids.

(I really hate that APT is a noun. I wish I could say “APT threat” and use the acronym as an adjective…  Saying “AP threat” just sounds like the Associated Press is out to get me!)

By LonerVamp

ds - There’s certainly value in classifying information accurately.  A lot of current efforts get tripped up by an outmoded “war” view, though.  The issue with APT is that there’s no longer just one or two of “them.”  This is a set of attackers with a very different set of goals and tactics than ever graced a battle field.  The battle is being waged on a multitude of fronts and we hurt only ourselves if we keep the majority of commanders in the field deaf and blind to even basic battle information.

The techniques are all out in the public domain.  RSA/Defcon/Blackhat sessions go in to great detail, but not everyone is aware of the prevalence of their use.  If we can get pragmatic information out to a greater chunk of the community on what is being actively employed and techniques to defeat, we improve our ability to stamp out more, faster.  The more beach heads that are established, the harder our collective job becomes.

The evil doers know that we know they’re there.  We’re in a very different game today.  This is civil defense where everybody needs training.

By Eric Hanselman

I think you are oversimplifying the situation regarding te reaons for classifying information.  It is well known that information has value, and sometimes that value diminishes if others are aware you know it.  Consider the historical case of the Japanese codes in WWII.  If the US had publicised that they had deciphered the code, Japan would have switched codes, destroying the value of what had been learned.  The same may be true of APT. 

If our attackers know that we are aware of their activity and studying it, they will change tactics.  LE is better suited to to respond trans-nationally and who knows if they aren’t working with partners to seed their learnings into industry.  They’ve been long thought to use thinktanks like Mitre to achieve such goals. 

As to the firestarter itself, I think this is another point where security pros are falling behind due to reliance on outmoded tools.  IDS/IPS (I’m told, I hate them personally) was swell for preventing attacks when the goal was to root a server using the latest sploit, and firewalls are great for segmenting well defined networks with discrete service needs.  Honeypots are nice to learn about attack activity when the attacker is generally opportunistic and uses highly automated methods.

None of this seems very good against a dedicated attacker focused on a very specific goal and armed with very good recon.  But we’re all too busy using what few resources we have to manage the technology that doesn’t really work because we don’t know how to do anthing differently. 

My cynical view is that anyone in the profession who feels like they are achieving success is either delightfully ignorant or charged with protecting something that no on really wants anyway.

By ds

You’ve hit the key issue, what I’ve referred to as the Culture of Classified Cool (CCC, now there’s an acronym!).  Attack information needs to be shared more broadly, but the SecInt community has fallen in to the bad habit of classifying way more than is appropriate.

This has a tendency reinforce the behavior.  Just the cool kids get the briefing and more stuff gets classified because it fosters the mystique. That information is power thing really feeds forward.

If the information isn’t classified, a set of stake holders will feel a little less special, but we’ll all be a lot better off.

By Eric Hanselman

Someone else who has spoken and writting about APT and is worth checking out is Steven Adair of Shadowserver Foundation. See:

Cyber Espionage: Death by 1000 Cuts

Also, Martin did a nice podcast with him this summer.

By Rob Lewis

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.