Saturday, May 5, 2012

To APT or Not To APT?

To APT or not to APT? That is the question that I find myself faced with these days. I’ve spent quite a bit of time on this blog and in speaking engagements talking about the advanced persistent threat (APT) issue. I’ve lamented the gross misuse of the term by vendors and other “experts” who don’t have a singular clue what they are talking about and even wrote this in a previous blog post:

This is a lot of vendor noise out there on the topic of APT, but I don't agree with those who say that we should abandon the term APT because of gross misuse by others. We have to fight misuse of the terminology just as we have to fight the misinformation about the subject itself. If we come up with a new term, the marketing people will just abuse it like APT so this a linguistic battle that I'm willing to fight.

I know several people who I respect who use the APT term correctly and effectively as an educational tool. Richard Bejtlich, for example, is one of the few high visibility public figures who uses the term effectively and productively. That shouldn’t come as a surprise considering his background with the United States Air Force and his resulting private sector career. In his article entitled “Understanding the advanced persistent threat” in Information Security magazine (registration required), he wrote:

The United States Air Force coined the phrase advanced persistent threat in 2006 because teams working within the service needed a way to communicate with counterparts in the unclassified public world. Department of Defense and intelligence community members typically assign classified names to specific threat actors, and use the term intrusion set to describe activities by those threat actors. If the USAF wanted to talk about a certain intrusion set with uncleared personnel, they could not use the classified threat actor name. Therefore, the USAF developed the term APT as an unclassified moniker.

It is crucial to this discussion to recognize that APT is a proper noun. APT refers to specific threat actors; APT does not refer to vaguely unknown and shadowy Internet forces. The term is most frequently applied to distinct groups operating from the AsiaPacific region. Those knowledgeable about APT activities can conduct an honest debate as to whether the term should be used to refer ONLY to certain Asia-Pacific actors, or if it can be expanded as a general classifier. In other words, if adversaries in Eastern Europe operate using the same tools, tactics, and procedures as traditional APT, should these actors also bear the APT label?

Rob Lee, also a United States Air Force alumni, has expended a considerable amount of effort educating us that APT is a “who” not a “what”. For example, in a recent AFoD interview, he wrote that APT is:

The APT is a cyber-adversary displaying advanced logistical and operational capability for long-term intrusion campaigns.  Its goal is to maintain access to victim networks and exfiltrate intellectual property data as well as information that is economically and politically advantageous.

The APT is not a bot-net.  It is not a car.  It is the DNA of an adversarial group.

Unfortunately, I also know many more who really dislike the term for reasons that I find increasingly hard to disagree with. Kyle Maxwell recently wrote over at his blog:

First, one of the most common (and controversial) phrases in 2011: “advanced persistent threat” (APT). From my understanding, this term originated with the US Air Force in 2006 to refer to either “any sophisticated adversary engaged in information warfare in support of long-term strategic goals” or, well, China. I do not like this term at all, because we have much better terms now when discussing general classes of attackers. And now that the US government has publicly discussed the ongoing campaign of intrusions from China, rather than just in classified environments, we no longer need to treat the subject so gingerly. My stance has evolved to the point of eschewing the term completely. If you mean “nation-state actors” in general, say that. If you mean China (or Russia, or Israel, or the US), then say that. If you mean adversaries with significant capability, I suppose “APT” is the marketing buzzword these days, but this usually leads to so much FUD that I’d prefer other terms that don’t carry the same baggage.

Greg Pendergast commented on Kyle’s blog post in a recent Digital Forensics Case Leads when he wrote:

Semantic change: APT, Cyberwar, and Hacking - Kyle Maxwell has some interesting thoughts on the words we use. I tend to agree with him, especially regarding the phrase APT (it really does need to die). Others will disagree on one or more points. But the more important point, I think, is that we need to mindful and careful of the words we use to describe things. They have meanings, both denotations and connotations, and sometimes need to be re-evaluated. There was nothing wrong, originally, with the phrase Advanced Persistent Threat (APT). But no matter how you might rage over the loss of that original intent, it is still lost to the FUD and misinformation of the marketing machines. And perhaps, more importantly, as Kyle points out, the phrase no longer serves a purpose. It is no longer needed.

So…to APT or not to APT?  The answer for me is that I’ve realized that I have stopped using the term in my conversations with people and have instead been using terms like  “advanced actors”, “advanced threat actors”, and “nation-state actors” when talking about general threats or, oddly enough, specific threat actor names when talking about specific threat actors. So I’ve unconsciously been agreeing with Greg and Kyle and I expect that will remain my position going forward.

The problem is that the term started out an intentionally vague term. Did we expect a term that the Air Force used to talk about specific threat actors in a non-specific manner to be more clear or less clear when a pack of security vendors got ahold of it? The bottom line seems to be that there are more ignorant FUD-spewing vendors than there are Rob Lees and Richard Bejtlichs so I just don’t see how we win this particular semantic argument.

So what do I recommend? I think it makes sense for us to move away from the APT term because it’s just feeding the vendor mentality that security is about tools rather than people. However, I’m not about to tell people like Rob and Richard that they shouldn’t continue their appropriate use of the term to bash the FUD-centric vendors and educate the public about advanced threat actors. So you have to make your own decision. I’ve made mine and I chose “Not to APT”.