I come to praise APT, not bury it.
The furious discussion about the appropriateness of the term Advanced Persistent Threats (APTs) has finally died down and many people are now gun shy about using it. I’m okay with that. I completely agree that the phrase was overused and over applied. But that doesn’t mean we should bury the term. First we should properly define it. Symantec has done that here. Next, I’m going to go out on a limb and actually praise the use of the term APT.
So what’s to praise about the term APT? Two things. First, it was an extremely effect way of getting the attention of people who have for years been ignoring the risk of targeted attacks. We were able to advance the conversation and get companies out of the mind-set that targeted attacks were something that happened to other people. If you’re one of the ones that still need proof take a look at the data we compiled on targeted attacks for the 2011 Internet Security Threat Report (ISTR).
While governments and the public sector were the most attacked industry sector, 75% of all the attacks were in other industries. And while large companies saw their share of targeted attacks, 50% of targeted attacks were directed towards companies with less than 2500 employees. Who is at risk of a targeted attack? Everyone.
The second reasons to praise the acronym APT is they inarguably got the P right. These attacks are persistent and the public badly needed to be educated on this aspect. When they target you attackers don’t just try once then go home. They keep at it. Symantec’s researchers documented one attack where an individual was repeatedly attacked over a nine-month period. In one month he was attacked almost daily. Even with this barrage of attacks it would be wrong to think that all this company needed to do to protect themselves was to protect this one individual. Our research shows that the average targeted attack campaign will target 61 different email addresses. Those being targeted not only include CEOs, senior mangers and researchers, but also employees in Sales, PR and Human Resources.
The bottom line is that we all need to be concerned about targeted attacks. And we need to remember that it’s people being targeted. So it’s not just security staff and IT that need to be vigilant, it’s all employees. Often these attacks are based on the simplest of mechanisms - a socially engineered phishing email for example, or a payload on an innocuous looking USB stick. Educated employee can make a difference. While social engineering attacks can be difficult to prevent (we can all fall victim), organizations can encourage reporting and then broadcast the existence of a new threat. Such as, "If you receive a Twitter direct message that says, 'take a look at this,' don't click on the link!"
Targeted attacks will continue to evolve and so will the tools and polices to help stop them. But organizations that feel that such attacks only happen to other people are playing Russian roulette with their own businesses. If the phrase APT helps get across that message then I give it great praise.