With all the media hype created around Advanced Persistent Threats (APTs) in the last couple of years, it may come as a surprise that there is no official definition for it in the industry. But it’s true. Security experts have yet to reach a consensus with regards to what exactly constitutes an APT. As a result, security companies have diverging opinions, and define it differently.
But why is a commonly accepted definition so important? Shouldn’t we concentrate our attention on solutions against APTs?
Of course. But then, how can a solution offer proper protection against a threat whose real nature may not be entirely known. And how can we make accurate comparisons between solutions, if we don’t have a common framework as reference?
Diverging opinions often lead to confusion. And people can leverage confusion to stand out from the crowd. As it so happens, this is the case with some companies that claim their APT solutions are the best in the industry.
Diverging opinions often lead to confusion with regards to what exactly constitutes an APT. [Tweet this!]
In this article we’ll try to come up with a common definition for APTs, by looking at the different opinions in the industry, identifying the common grounds and dismissing invalid claims based on facts and real cases.
So what exactly constitutes an APT?
While every company tries to give their two cents, the different attempts at explaining the threat have three points in common:
1. an APT involves some kind of malware that is “not detected by traditional [signature based] antivirus”
2. an APT is part of a cyberattack targeting individuals in an organization
3. the threat used in APT attacks should be: zero-day, advanced or complex, designed to evade security solutions.
But each of them has holes in it and leaves room for interpretation. Let’s analyze them one by one.
1. If the first point was accepted by the entire industry, a company could put an APT label on any piece of malware they detect, and claim a traditional antivirus would not be able to identify it. Such claims exist, but most of them are not supported by evidence. And where evidence exists, it’s based on inadequate comparison between security products. For example, business security solutions may be compared to consumer solutions such as Microsoft Essentials or ClamAV , or to malware scan sites like VirusTotal or Jotti; these tools are typically based on a single security component (on-demand scanner), as opposed to business solutions which include several layers of protection that contribute to good detection rates.
2. With regards to the second point, this, in turn, is subject to different interpretations. There are several opinions on who and what type of organization should be the target of an APT attack:
The target is of national importance: government agencies, nuclear facilities etc. Such entities have been targeted by well-known APTs like Stuxnet and Flame, but accepting an APT definition that names these entities as targets poses two issues for companies that offer APT security solutions
◦ APT attacks are so costly and difficult, that they could only be performed at the state level – indeed, the Stuxnet success seemed to be the result of several governments working together. Thus, the vast majority of businesses would be safe from such attacks simply because they wouldn't be interesting enough targets.
◦ It would be extremely brazen to claim that some security solution made by a company would stop such APT attacks. After all, an APT attack having a target of national importance would be carried out by teams of hackers with unlimited budgets and a state to support their actions. As such, they would have no problem in acquiring such an APT solution, analyzing it in detail, and creating a piece of malware that would be able to slip by without raising any flags. Such a piece of malware would also make it difficult for companies to add detection for it to their existing solutions. Not only would it be a major effort for them, but they would not be able to add such a functionality in due time.
So an APT definition naming state entities as APT targets would not be accepted by APT solution vendors.
The target is everyone who got attacked by malware. “Got infected by malware? Did it encrypt your files and request payment for decryption? You got attacked by an APT!” This is an appealing definition, as it allows for a product to be sold to almost everyone. However, it does not explain what makes an APT solution different from a security solution provided by another, non-APT security vendor. So if we considered that everyone could be target to an APT attack, it would make it difficult for the APT companies to explain their added value (if any), which would not help sell their product.
The target is a business entity, referred to as “your organization” to hint that YOU need protection. This is the most reasonable definition, because targeted attacks indeed exist, and severe security breaches happen every year. The only problem the APT solution vendors face in this case is that such targeted attacks might not – and often do not – use any malware that could be considered “advanced.” As an example we have the malware piece used in the Target breach, which McAfee representatives called “absolutely unsophisticated and uninteresting.”
3. The validity of the third point is also debatable. Be sure to download our whitepaper, A candid view on APT protection: debunking claims and choosing the right providers, to get our "candid view" on it.
Next up in this series of articles is Detecting Advanced persistent threats: myths and realities.