APT

Recently there has been a flurry of compromises bubbling up to the front-page of newspapers and magazines, and it seems the common thread is “APT”. APT stands for Advanced Persistent Threat, and it has been horribly over applied in numerous periodicals over the past several months; even going so far as to use the term in defining a specific virus.  As we walk through what APT really should be communicating, you’ll have a better understanding why these uses are absurd at best, and poor scholarship at worst.

Advanced

Advanced seeks to define the capabilities of the entity, in that it has a holistic ability to gather intelligence from advanced, complicated and usually very technical conduits.  That is not to say that AP threats limit themselves to these complex and obscure techniques alone; in fact, the complexity and craftiness usually present is almost always based around a creative mixing of information/intelligence-gathering. The important take-away is that the entity, has a formidable store of information-weaponry with which it can assault its target.

Persistent

Persistent seeks to define the intention of the entity, as one that is not fly-by-night or opportunistic, but clearly consistent, continuous and unyielding.  This is the drip in the slow-drip characteristic to AP threats. It’s not a gloves-off all-out assault of various vectors all at or within the same time/space, it is a slowly methodically calculated assault, maintaining access and flying low to keep that access. I prefer to use the term “Parasitic”, as persistent carries a connotation of enduring, and ultimately positive perseverance, which I do not attribute to these entities.  When I find myself using a term to define the practice/attitude of intelligent children, I do not find it appropriate to attribute the same term to a malicious entity.

Threat

Threat seeks to classify the entity as an organic and focused assault, not some automaton sequentially programmed to follow a specific set of attack vectors.  The entity is an organized, intelligent and resourceful enemy, with a plan of attack and a source of continuing encouragement and support; be it financial, emotional or purely malicious.

Parasitic (Infophagy)

My argument for changing ‘Persistent’ to ‘Parasitic’, is professionally based.  Consistently while reviewing incidents of an AP nature it is discovered that small amounts of data/information are compromised slowly over time. I believe this process to be best visualized by hematophagy, commonly practiced by a wide variety of insects, ticks in particular.  (Those of you not familiar with ticks please see here: http://goo.gl/I4ctm) This data/information is integral to the continuation of the entity maintaining access, and is in most scenarios, detrimental to the plan of attack succeeding; therefore this practice I coined ‘infophagy’, and is far more accurate.

Additionally, I find nomenclature to be incredibly important in each and every scientific field. It is what makes communication more efficient and precise for the scientific community at large, and those that would come after us.  I appeal to the medical community as an example; Endoscopic retrograde cholangiopancreatography (ERCP), is a beautiful example of the benefits of proper naming conventions.  This incredibly long term clearly defines all important aspects of the technique to a physician, and accurately so, without ambiguity.

I believe ‘Parasitic’ is a more accurate and unambiguous definition of the characteristics of these threats, and I encourage the professional/scientific Information Security community to make this change.

Conclusion

It is my primary hope, that the Information Security community, will take my recommendation to heart, and utilize ‘Parasitic’ as the more accurate nomenclature. Additionally, it is my prayer that this little article helped to clarify for those less involved in Information Security directly, and how to properly understand APT when you see it carelessly sprinkled in newspapers articles.  Just remember APT is organic, a who, not a what. And they practice Infophagy.