Several topics seem to cause a stir when mentioned among information security professionals and are sometimes avoided in conversations altogether. And no, I am not referring to sex, religion and politics. My list of sour points in security discussions includes APT, ROI and insider threat.
A question of what or who is APT is guaranteed to stir up a heated discussion. Jeffrey Carr explained that one of the reasons why some people try to avoid using it is because APT has become a marketing buzzword. He also points out that:
It’s used by some to define an attack process that fits certain characteristics (think of them as the “What” group). Others, like the security firm Mandiant, use the term in reference to the actions of a specific nation-state—China (think of them as the “Who” group).
Since Mandiant is generally believed to have extended experience with APT incidents, many follow their definition, which is stated in their M-Trends 2011 report as a term for describing “a specific group of threat actors (multiple cells) that have been targeting the U.S. Government, Defense Industrial Base (DIB) and the financial, manufacturing and research industries.”
Another generally-accepted description of APT, compatible with Mandiant’s perspective, comes from Richard Bejtlich. Richard does a great job explaining the meaning of “advanced”, “persistent” and “threat” characteristics of APT.
If you talk about APT on-line, there’s a good chance that someone will leave a snaky comment pointing you to Mandiant’s or Richard’s description of the term.
The distinction between the original and marketing meanings of APT is fading. Soon enough, debates about the definition of APT will resemble the purists’ insistence on using the word UNIX solely when referring to AT&T’s original operating system. It’s a worthy cause, but one that’s doomed to fail or fade into irrelevance. Sadly, I consider myself one of the purists.
To better understand my perspective on APT, see my follow-up post Why I Make Fun of Advanced Persistent Threat.