One of the comments I heard repeatedly at the RSA Conference was that many vendors on the expo floor were jumping on the Advanced Persistent Threat (APT) bandwagon, handwaving wildly and claiming disingenuously that their product -- or "solution" to be even more self-aggrandizing -- would protect against APTs. That, combined with the RSA SecurID breach last week and a recent article by Bill Brenner at CSO Magazine, made me want to weigh in on this topic.
I think one reason the APT label irritates experienced security practitioners is that we know none of this is new -- not the techniques, and certainly not the threat actors. There's disagreement on whether Night Dragon should be considered an APT, but some are calling it that, so let's use it as an example. Based on the McAfee writeup, the infiltration steps included 1) exploiting a SQL injection vulnerability, 2) pivoting from the external web servers to the intranet, 3) cracking passwords, 4) installing some malware. As far as techniques go, it's not particularly "advanced"; that sequence of steps might as well be describing any garden-variety penetration test circa 2001 (or much earlier, if you don't use a web application attack to get in).On one hand, it's obvious why vendors do it: IT security people are instructed by their CISO or CSO to "go find an APT solution", so if you're not making that explicit claim, you might be overlooked. We recently had a large enterprise customer come to us looking for exactly that, a so-called "APT solution". They had just been hit with Night Dragon, which used SQL injection attacks as an entry vector along with the traditional spear phishing approach. We offer a good way to defend against one part of the APT threat, which is application security along your perimeter. Of course, we would never call ourselves an APT solution because there is no such thing.
How about the threat actors, then? Labeling an attack an APT implies that it's a state-sponsored activity. Usually the finger is pointed at China, but you could just as easily have an APT originate from Eastern Europe, Russia, or any other nation-state with the appropriate resources. But does anyone truly believe that this only started in 2009 with the Aurora attacks? And only then did other countries think, "hey, what a great idea, we should start hacking too!" Even the US Congress (usually the last to know) was toying with the idea of nation-state attacks on critical infrastructure as early as the 1998 L0pht testimony. Targeted attacks on corporations by foreign actors isn't much of a stretch.
The recently acknowledged existence of APTs also encourages companies to feel less accountable for security breaches. What I mean by this is that companies will take cover under the APT umbrella to detract from the fact that they have not been following best security practices with respect to application security and other parts of their infrastructure. There's an expectation that the media thrashing will be more restrained if you claim to be a victim of APT, because the attack must have been so unbelievably sophisticated. From a PR standpoint this is preferable to admitting that one of your laptops was stolen or that an attacker broke in via a SQL injection vulnerability in a website that you neglected to test. The added bonus with APT is that you can withhold information and claim that it's too sensitive to disclose!
APTs, or whatever you want to call them, do exist. There are nation-states building sophisticated information warfare capabilities, and there is incentive to target prominent companies. Many attacks may go undiscovered. Those are the real APTs. Just because an attack uses social engineering or gains access to your intranet does not make it "advanced". Let's not be so quick to call everything an APT, and let's call BS on vendors who claim to sell an APT solution. Agreed?