Internet Security Systems - AlertCon(TM)

The Advanced Persistent Threat in 2012

Posted by Tom Cross on May 09, 2012 at 3:11 PM EDT.

Advanced Persistent Threat continues to be one of the most important topics in Internet Security. It is also one of the most misunderstood - and not just by lay persons but by professionals as well. The ambiguity of the term has caused many well meaning observers to misinterpret or oversimplify the subject being discussed. The difficulty that private organizations have in attributing attacks to specific actors has also made the term hard to apply with confidence.

Advanced Persistent Threat is best understood as a proper noun that refers to a particular group of state sponsored computer attackers who have had a widespread impact on networks through out the world. These kinds of attacks are very challenging to combat, because the attackers have the capability of evading traditional security controls through the use of vulnerability research, custom malware, and covert command and control.

Since this term has entered the public dialog, X-Force has published a series of talks intended to contribute to better understanding of these attacks, how they work, and what steps can be taken to combat them. There is no easy answer and there is no product you can buy that will solve this problem. There are, however, practices that you can put in place that will help improve your readiness and your ability to stay on top of these incidents.

The attached video is a long version of a talk on APT that I gave this year at IBM Pulse in Las Vegas. In the video, I talk about the overall threat landscape and where APT fits into the picture and I provide some discussion of how sophisticated attacks work and how targeted spear phishing happens. I also provide a specific example of a customer that IBM has worked with to detect and mitigate these attacks, and I explain some basic principles that can be applied to that case. These principles help shed light on opportunities that existed in this customer's environment to detect these attacks. Perhaps they can also be applied in your environment.

The video is below:

(One error correction - In the first few minutes of the video I discuss the emergence of the term APT into the public dialog early in 2010. At one point I mistakenly say "early 2011" but in fact this discussion refers to 2010 and not 2011.)

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.