10 January 2012
A lot of pixels have been spilled in the last few years about "advanced persistent threats" (APT); if nothing else, any high-end company that has been penetrated wants to blame the attack on an APT. But what is an APT, other than (as best I can tell) an apparent codename for China? Do they exist?
After thinking about it for a while, I came up with the following representation:
I dub the lower left "joy hacks". These are the province of the script kiddie or the novice hacker. They've learned about "cool" tools, and they try them out on anyone in reach. Ordinary care will generally deflect joy hackers.
As the attackers' skill level moves up, you get what I call "random hacks". (I'm not fond of that name; any better suggestions?) People who write new worms often fall into this class, especially if the worms exploit 0-days. But worms are generally random in their targets. If you're a spammer or a botnet builder, though, that's fine; a low-bandwidth node may not be able to spew as much garbage as a well-connected one, but as the saying goes, "from each according to his ability". Your best defense here is the usual technical litany: turning off unneeded services, keeping up to date on patches, etc.
The X axis, which reflects targeting, does not necessarily imply particular technical measures. In general, though, it means that the attacker will gather as much intelligence as is feasible about the target. (Again, I'm quite unhappy with my name, especially when I have to translate it into the noun for the attacker.) Spear-phishing attacks, which show a knowledge of the organization and the victim and perhaps the purported source of the message, show the efficacy of this. The attacks themselves may not be novel, but the extra information the attacker has helps immensely. This is an arena where education and process help.
The upper right (or the upper right of the upper right) is, of course, the Advanced Persistent Threat, what John Erlichman so memorably called the "big enchilada". Here, you need everything you can bring to bear and then some: patches, education, process, luck, and perhaps sacrificing the entrails of a virgin artichoke on your keyboards.
Do APTs exist? Assuredly; if it accomplished nothing else, Stuxnet showed that. Are most attacks on high-profile companies APTs? I suspect that some are and some are not — but I haven't investigated or even reviewed the investigation of any of them, so I won't comment. Are nation-states behind APTs? Unknown and probably unknowable, though the more sophisticated the attack (and especially the more comprehensive and sophisticated the target intelligence was), I'd say it becomes more likely (which is not the same as "likely"). Should you worry about APTs? Ask yourself this: who would be likely to target you, and how good are they?