April 19, 2011, 12:35 PM — In security Advanced Persistent Threat has become the hot buzzword for an irresistible digital attack that should result in no blame whatsoever to the security, IT and business people involved – who, in fact, should get a raise and some time off for having endured such a harrowing experience.
Advanced Persistent Threat (APT) is a specialty phrase introduced following revelations by Google last year that it had been under continuous pressure from skilled attackers for a long period of time.
It refers primarily to long-term attacks carried out by multiple groups of highly trained attackers focusing on a specific set of targets, using methods not available to the average hacker, or even low-end organized crime group.
It doesn't mean a DDOS attack from a mid-sized botnet, or an increase in spam using phishing techniques to con workers into downloading malware or linking to malicious sites.
It doesn't even usually refer to effective spear phishing attacks like the one that cracked commercial email service Epsilon and let someone get away with thousands or millions of customer email addresses.
It refers to things like the "Byzantine Hades" and "Night Dragon" attacks U.S. security agencies have identified as having come from units of the Chinese military going after confidential data in government and corporate databases.
APT does not describe any successful hack that is a hair more slick than the one that failed a couple of months ago, or that might have taken the attackers more than a couple of days to succeed.
That is exactly how it is being used by IT and security people who have to admit being cracked that want to minimize the impact in negative publicity for their company or negative impact on their employment.
Blaming a successful attack on APT "has become the perfect excuse," according to Bryan Sartin, Verizon's director of investigative response, who oversaw an analysis of 760 data breaches in 2010, with Verizon's security team and help of the U.S. Secret Service and Dutch National High Tech Crime Unit.
Their "Verizon 2011 Data Breach Investigations Report" (PDF) is being published today.
The striking thing is sophistication of the excuses of victims, not the techniques of crackers. "It's almost as if it's become chic in the U.S. to blame it [on APT]," Sartin said.
Even when the attack comes from a Chinese IP address, that doesn't mean the Chinese government is behind it. There are 400 million PCs in China, many of which aren't well protected by anti-virus or the latest patches (just as in the U.S.).
Real crackers cover their tracks by routing attacks through compromised machines in countries other than their own. China is big and has a lot of vulnerable PCs, so a lot of the attacks appear to come from there.
In fact, during 2010, attacks trended away from large companies and toward mid-sized, less well-protected companies.
Most of the breaches – 78 percent – resulted in stolen bank card data, which APT attackers aren't usually interested in.
While half of the attacks involved malware as well as other techniques most are not sophisticated.
Only 3 percent were considered too slick for the victims to have been able to stop.
That leaves 97 percent of data breach victims trying to find something other than themselves to blame.
APT, the Chinese government and super-advanced organized criminal groups that are inexplicably fascinated with billing records at your Topeka two-store mattress-supply retail chain, obviously have to sit at the top of any suspect list.
Leaving the default root passwords on the routers and server, not encrypting the data and leaving the back door open in case you forget your key and want to come back to get something late at night would have nothing to do with it.
You can't stop superspies when they come after you. That's obvious.
Source: Verizon Business 2011 Data Breach Investigations Report
