Friday, August 26, 2011

APT: A Geopolitical Problem

An important thing to understand when thinking about advanced persistent threat (APT) is that it’s a much bigger problem than any one of us individually as organizations can handle because it's ultimately a geopolitical issue. We're talking about nation-states who are engaging in attacks against the confidentiality of sensitive data that belongs to other nation-states, their industrial base, academic institutions, and non-profit organizations. In other words, China isn't going to stop using cyber attacks as an active tool for its national security and economic development efforts until someone forces them to do so or their government changes radically.

Being targeted by a nation-state actor is a daunting thing to consider. Matt Olney, who is still the reigning champion of the pithy APT definition, wrote, "APT: There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that." Matt wasn't kidding when he said they have more resources that you. A nation-state has the ability to levee taxes and print money. I don't care what your organization’s profit margins and revenues were last year, they can't compete when it comes to outspending these people. Nation-states can have tremendous resources when it comes to personnel, intelligence gathering, education, and research and development capabilities. Jonathan Abolins made a fine point in response to my last blog post when he stated that if your organization is targeted by a nation-state for cyber attacks, it's almost certainly being targeted by more traditional physical data collection methods. Nation-states have comprehensive intelligence collection strategies where information warfare is just one piece of their strategy.

So we're cooked, right? Absolutely not. There are things that we can and should be doing to protect our individual organizations from these nation-state actors such as developing robust threat-based security teams. One of the best things we can do to combat this threat is to work hard to raise awareness so that other organizations will wake up and start fighting back also. Nation-states can have immense resources, but they aren't unlimited resources. They have to make resource allocation decisions just like anyone else. The more we collectively fight back against them, the more of their resources they have to expend to keep up with us.  Either they have to allocate more resources to keeping up their current level of overall activity or they have to start making tough choices on who to target and how much to spend on that particular target. Let’s make this really expensive for them.

When you fight back intelligently against this threat, you help everyone else out also. The business case for having your organization properly defend against this threat is the long term health and profitability of the organization. The altruistic case is that your efforts will likely help make others safer also by making hostile nation-states use more of their limited resources.  Maybe that resource drain means that some United States Navy commander at VFA-123 doesn't have to write condolence letters home to a pair of military families because that officer lost two naval aviators in an F/A-18 to an anti-aircraft defense system that was made better by stolen technology. 

This is a lot of vendor noise out there on the topic of APT, but I don't agree with those who say that we should abandon the term APT because of gross misuse by others. We have to fight misuse of the terminology just as we have to fight the misinformation about the subject itself. If we come up with a new term, the marketing people will just abuse it like APT so this a linguistic battle that I'm willing to fight.

So what can you do? The first thing you should do is to educate yourself about the nature of the threat so that you can cut through the noise and properly educate your organizational leadership. The people who I look up to and who are very influential in how I approach this issue are Richard Bejtlich, Rob Lee, and Mike Cloppert. I recommend starting by absorbing anything you can from them such as books, blogs, conference presentations, podcasts, random scribblings on cocktail napkins, articles, and Twitter feeds. There are excellent conferences such as the DoD Cybercrime and SANS Digital Forensics and Incident Response Summit (full disclosure: I teach digital forensics for SANS) that are held each year and include fantastic presentations on nation-state threats along with many other great topics.

You should also maintain at least a working knowledge of the business and geopolitical world around you. Since advanced persistent threat is a nation-state issue, it's important to understand what is happening in the world and how it connects to your daily life as an information security professional. There are resources such as The Wall Street Journal, The Economist, Brookings, Council on Foreign Relations, and Foreign Policy that all have robust and convenient online presences complete with mobile applications.

Even though I'm beating up on some vendors because of their misuse of terminology and sometimes FUD driven marketing, there are great vendors out there who provide a wide variety of tools, services, and educational efforts that are very helpful your efforts. I’ll try and highlight as many as I can in future blog posts. One example is Mandiant who does a fantastic job of educating the community about the nature of advanced persistent threats as well as threats from other actors. They are very open with what they know and I highly recommend their frequent webcasts.


  1. Absolutely agree that we should keep alerts on this threat. AV vendors argued that it is only an "advanced" threat because they believe their product is good enough to flight against such attacks. I don't agree because the state actors can use hugh resources, may be today they use a less effective or advanced tools, but they will learn and someday they can develop an advance technique in preparing their cyber weapons.

  2. Good recommendations.

    A US Defense Security Service report that might help give some glimpses of the context of APT.
    "Targeting U.S. Technologies: A Trend Analysis of Reporting from Defense Industry"

    By the way, on page 26 (PDF version), there's an anaalyst statement relevant to APT:
    Analyst Comment: The decline in overt FY09 cyber operations is likely more indicative of regional
    collectors increasingly finding ways to disguise suspicious Internet activity, rather than representing an actual decrease in cyber activity. (Confidence Level: Moderate)

    The DSS has other resources for understanding counter-intelligence and protecting your company.