APT Kill chain - Part 1 : Definition
Today we decided to release a serie of blog posts regarding the APT kill chain, in an effort to share our experience and knowledge on this hot topic.
For starters, “APT” stands for Advanced Persistent Threat.
Some people do not use this word at all, considering that this acronym is just a buzzword, created by some creative marketing wizard –or even a team of wizards- to describe a computer attack aimed at companies. These three words do strike the spirit of anyone who is inexperienced in computer security and immediately raise fear, not to mention terror. A sure thing is that it does not leave anyone indifferent. People do imagine a lot of different things behind these words, depending on their knowledge and experience. It basically goes from “well, another attack” to “attackers are everywhere in the system, they’re inside all the computers, ALARM ! ALARM ! HELP !”
Yet, there have been different definitions for APT, which we will now explore briefly.
In fact, the "APT" acronym has not been created at all by the marketing world, but by another world which provides more credibility to it: the Defense world. The term has been used since 2006 by the US Air Force, to describe “specific types of adversaries, exploits, and targets used for explicit strategic intelligence gathering goals”. As we can read, it defines a mix between human beings (adversaries), computer material (exploits), aimed at physical structure/network architecture (targets). The goal is also mentioned in this definition: explicit strategic intelligence gathering goal. That’s the first definition we saw, as computer security professionals. This definition is not bad, yet please allow me to find it a bit too… short. The complexity of the APT just cannot be described in one line.
Mandiant provides another definition, in which APT is "a group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks for years". There are some limitations in this definition. The most disturbing one, from a European point of view like mine, is the inclusion of a geographical and political notion in the definition. Several other countries worldwide are attacked. Their governments can be targeted, their private companies too. It would be very incorrect to consider that only the United States of America are targeted.
DELL SecureWorks provides a short but interesting definition in a whitepaper they released. Joe Stewart mentions “the so-called "Advanced Persistent Threat" (APT), the term commonly used to refer to cyber-espionage activity carried out against governments, activists, and industry.”. Although this sentence does not really constitute a definition, the main idea is there: a computer activity leading to spy and/or steal information from governments, activists, and industry.
The National Institute of Standards and Technology (NIST) defines Advanced Persistent Threat as: “An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.”
This definition covers most of what APT is, in a clever way. NIST does not mention any political or geographical aspect of these attacks, and focuses on the attackers and their goals.
I chose, from my experience and from all the papers and books I’ve read regarding the topic through the years, to define APT this way:
A persistent targeted computer attack, aimed at compromising and keeping access to a governmental or private company network in order to steal information.
However, giving a strict definition to APT is not what matters really. The real important thing is to understand how they’re build, how and why they work, and what can be done to detect it early enough not to see your sensitive data leak from your networks. This is what we want to talk about in the following weeks.