APT and why I don't like the term

Published: 2016-07-01
Last Updated: 2016-07-01 12:56:40 UTC
by Brad Duncan (Version: 1)
2 comment(s)


In May 2015, I wrote a dairy describing a "SOC analyst pyramid."  It describes the various types of activity SOC analysts encounter in their daily work [1].  In the comments, someone stated I should've included the term "advanced persistent threat" (APT) in the pyramid.  But APT is supposed to describe an adversary, not the activity.

As far as I'm concerned, the media and security vendors have turned APT into a marketing buzzword.  I do not like the term "APT" at all.

With that in mind, this diary looks at the origin of the term APT.  It also presents a case for and and a case against using the term.

Origin of "APT"

In 2006, members of the United States Air Force (USAF) came up with APT as an unclassified term to refer to certain threat actors in public [2].

Background on the term can be found in the July/August 2010 issue of Information Security magazine.  It has a feature article titled, "What APT is (And What it Isn't)" written by Richard Bejtlich.  The article is available here.

Shown above: An image showing the table of contents entry for Bejtlich's article.

According to Bejtlich, "If the USAF wanted to talk about a certain intrusion set with uncleared personnel, they could not use the classified threat actor name.  Therefore, the USAF developed the term APT as an unclassified moniker" (page 21).  Based on later reports about cyber espionage, I believe APT was originally used for state-sponsored threat actors like those in China [3].

A case for using "APT"

Bejtlich's article has specific guidelines on what constitutes an APT.  He also discussed it on his blog [4].  Some key points follow:

  • Advanced means the adversary can operate in the full spectrum of computer intrusion.
  • Persistent means the adversary is formally tasked to accomplish a mission.
  • Threat refers to a group that is organized, funded, and motivated.

If you follow these guidelines, using APT to describe a particular adversary is well-justified.

Mandiant's report about a Chinese state-sponsored group called APT1 is a good example [3].  In my opinion, FireEye and Mandiant have done a decent job of using APT in their reporting.

A case against "APT"

The terms "advanced" and "persistent" and even "threat" are subjective.  This is especially true for leadership waiting on the results of an investigation.

Usually, when I've talked with people about APT, they're often referring to a targeted attack.  Some people I know have also used APT to describe an actor behind a successful attack, but it wasn't something I considered targeted.  We always think our organization is special, so if we're compromised, it must be an APT!  But if your IT infrastructure has any sort of vulnerability (since people are trained to balance risk and profit), you're as likely be compromised by a common cyber criminal as you are by an APT.

Bejtlich states that after Google's "Operation Aurora" breach in 2010, wide-spread attention was brought to APT.  At that point, many vendors saw APT as a marketing angle to rejuvenate a slump in security spending [2].  I think most media outlets have tried to ride that trend.

Shown above:  An example of media reporting on APT.

A good example of bad reporting is the "Santa-APT" blog post from CloudSek in December 2015.  The CloudSek site (and the blog post) are no longer online; however, other sources have reported the info [5] and a cached version is available here.

Shown above:  Screenshots of the alleged "Santa APT" app.

The blog post reported a malicious Santa-themed Android app hosted on the Google Play Store.  CloudSek stated the app was the work of an APT group that it called Santa-APT.  The post was very short on details, and many I knew in the community were skeptical of CloudSek's claim.  The company's tweet even had a comment disputing the article's claims [6].  I certainly didn't see anything that indicated the malware was created by an advanced adversary with specific goals against distinct targets.

Final words

As far as I'm concerned, APT is still a vague term that's now a buzzword.  People generally use it according to their own biases.  Remember that APT is supposed to describe an adversary and not the attack.

I recently attended the FOR578 Cyber Threat Intelligence class at SANSFIRE 2016.  For me, one of the big points from FOR578 is that attribution is tricky.  You can review all the data about an attack on your network and still not be certain who is behind it.  People's biases get in the way, especially when the biggest question is "who did this?"

But identifying the people behind an attack is often futile.  Find patterns in the available data and try to categorize it, yes.  You might recognized a repeat attacker, and you'll be better prepared to respond.  However, you may never truly know who is behind any given set of attacks.  I feel we should be focusing on what vulnerabilities allowed the attack to happen in the first place.

Brad Duncan
brad [at] malware-traffic-analysis.net


[1] https://isc.sans.edu/forums/diary/SOC+Analyst+Pyramid/19677/
[2] http://viewer.media.bitpipe.com/1152629439_931/1279750495_63/0710_ISM_updated_072010.pdf
[3] http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
[4] http://taosecurity.blogspot.com/2010/01/what-is-apt-and-what-does-it-want.html
[5] http://www.theregister.co.uk/2015/12/16/ho_ho_hosed_asian_biz_malware_pwns_airgaps_thousands_of_androids/
[6] https://twitter.com/fb1h2s/status/677083166461452288

2 comment(s)


Reminds me of another USAF acronym gone awry. "UFO", which was defined by the Air Force in 1953 as, " relates to any airborne object which by performance, aerodynamic characteristics, or unusual features, does not conform to any presently known aircraft or missile type, or which cannot be positively identified as a familiar object."

But now, the term has become synonymous with something specific, and wholly different that the original definition... Extraterrestial/Alien spacecraft.
I agree with you fully. The term APT is often distorted and used out of context. Like you, I think the focus should be on identifying and remediating vulnerabilities, and being able to detect and respond to an attack. It matters very little who the attacker is, and whether they are advanced, or persistent, or not.

Mind you, I've also encountered at least one vendor who uses the terms threat and vulnerability interchangeably. Offering to help me scan my servers for "threats".

Diary Archives