Targeted Attacks Versus Advanced Persistent Threat – Pragmatic Versus Dogmatic
February 7, 2012 Leave a comment
In some circles of IT security, debating the exact definition of what constitutes an Advanced Persistent Threat (APT) is far more incendiary than debating politics or religion. I was forced to wade into these tumultuous waters this week as I was making updates to the Triumfant Web site. Specifically, I was curious to see if there was some industry consensus as to the dividing line between the two classifications. Silly me. I should have known better.
The volatile nature of the definition of APT makes the dividing line between targeted attacks and APT equally volatile. The industry has not settled on any one dimension to distinguish and APT attack, much less a specific point on that dimension. For some, APT is determined by the nature of the attack, or the target of the attack. Some, most notably Richard Bejtlich (@taosecurity) define APT by the threat actor.
After some research, it became obvious that the one thing the debate needed was yet another attempt to differentiate APT attacks and targeted attacks, and being shallow and self-centered, I knew I was just the guy for the job. My simple classification came down to pragmatic (targeted attacks) versus dogmatic (APT) and actually incorporates most of the elements of the debate.
At the high level, I consider APT attacks as a subset of the broader category of targeted attacks as both are attacks written to perform a specific purpose against a specific target. Both value stealth and seek long-term infiltrations. Both involve sophisticated adversaries that often use many of the same techniques. Given the two categories are not exclusive, what I am attempting to capture is the point where a targeted attack becomes an APT.
Targeted attacks are pragmatic because their motivation, and therefore their approach and behavior, lies in monetary gain. A targeted attack is likely designed to extract confidential information or intellectual property. It is conceivable that the attack could be disruptive, but pragmatically, disruption does not provide a return on investment. Targeted attacks value stealth and long-term infiltration, but only to the point where they serve the pragmatic need. Not quite smash and grab, but not the longer-term persistence sought with APT. Targeted attacks rely heavily on techniques that leverage human nature (social engineering) because the adversary lacks access to the human-gathered intelligence available to the APT threat actor. Finally, a targeted attack may be reusable against other targets, albeit with some modification and mutation of the malware.
I use the term dogmatic to describe APT attacks because APT attacks are largely driven by emotional/philosophical motivations, primarily politics. This places higher value on stealth and persistence than a targeted attack because it enables the adversary the freedom to alter post-infiltration activity to respond to evolving external events. This is the proverbial low and slow approach that places high value on maintaining an established presence in the targeted system or network. APT attacks may also be broader in their impact to the targeted organization because disruption may provide the same political impact as exfiltration. APT attacks often consist of multiple parallel attacks to ensure infiltration and ensure that discovery of one path does not cut off presence in the network. That is because a pragmatic adversary may be able to move onto the next target, but the target for a dogmatic adversary is dictated by the politics of the moment.
I am going to be very candid and say that I really have no real emotional or professional stake in this debate. Triumfant excels at detecting these attacks, and the dividing line has no affect on that capability. I simply was creating a web page on targeted attack detection and a separate page for APT detection, and I was doing the due diligence to be as accurate as possible. Why separate pages? Both terms (“targeted attacks” and “advanced persistent threat”) are frequently used search terms, so it was all about providing information to those who get to the Triumfant site through organic search.
So there is my take on the debate. Not sure if the pragmatic versus dogmatic designation helps, but it resonated with me, so who am I to not feed the fire?