The Advanced Persistent Threat (APT) is the bogeyman of information security. Some people say ‘be afraid, be very afraid’ while others laugh and deny its very existence.
The problem, of course, is one of definition. Too often the term gets stretched to fit whatever point someone is trying to make, or whatever product a company is trying to sell.
Another issue is that firms who have discovered a breach in their own defences are all too quick to blame APTs as a way of attenuating potential bad publicity. Presumably this is because it’s less embarrassing to say that you were taken down by a dedicated band of attackers using ‘advanced’ skills and technology than confessing what is more likely to be the truth – that your security was rubbish.
Nonetheless, it’s clear that attacks do take place that use advanced techniques, including extensive reconnaissance, zero-day exploits and sophisticated malware, and which involve persistence not just in breaching the security of the targeted organisation but also in hanging around to syphon out as much information, or do as much damage, as possible.
In this episode, Filippo Cassini, EMEA systems engineer director with Fortinet, explains what he means by ‘advanced’ and ‘persistent’. The technology used, her explains, has much in common with bot code in its ability to update, evade anti-malware and remain low-key. But what makes APT malware different is the customisation for the specific target – it is tuned, for example, to evade the anti-malware used by that organisation – and the lengths the attackers will go to to ensure that the malware remains on the target’s systems. He also discusses how you can spot an attack: detecting and fighting APTs, he says, starts with knowing your own network.
Finally, Casssini also touches on the recent attacks on South Korea which, while not being APTs per se, certainly bore some of the same hallmarks – although the aim in this case was to destroy rather than exfiltrate data.