Advanced Persistent Threats – A Simple Analogy
August 1, 2016
Author: Stephen Gates, Chief Research Intelligence Analyst, NSFOCUS
One of the things that amazes me the most is how the general population lacks a firm understanding of the cyber threats they face daily. Since few people outside of security circles have actually been trained in cyber security, the general lack of knowledge pertaining to cyber-attacks is understandable. Educating the general population on cyber security as early as grade school, would go a long way to solving many of the global cyber security issues.
Working in the cyber security industry for over 15 years, I obviously have an advantage over those that do not work in our industry. Understanding that, I often feel compelled to help educate the general population on the threats we hear so much about. In this case, let’s peel back the layers of the onion so to speak, and describe what an Advanced Persistent Threat (APT) actually is.
APTs are obviously advanced. They are persistent, and they are a threat. But what does that actually mean? Is an APT a piece of malware like a virus, worm, or Trojan? Not really. An APT is usually the result of a piece of malware; not the malware itself. So what is an APT? Maybe this analogy will help explain an APT.
Say for instance, you opened a window in your home and an insect took advantage of the hole you had in your window screen. The insect saw the hole and flew right in. Unfortunately, in this case your first line of defense (the screen) had a hole big enough for the flying insect to gain access. Once access was gained now what?
In this case, suppose the insect that just invaded your home had the ability to camouflage itself. This advanced ability allowed the insect to look like the table when it landed on the table. It looked like the rug when it landed on the rug, and it looked like your coffee when it landed in your cup. You would simply not know the insect was there.
Next, presume the insect had extremely stealthy wings that allowed it to move around without being heard. The wings allowed it to move faster than your eyes could see and you simply could not hear its movement. As a result, the insect would likely remain persistent in your home for some time, before you could ever catch it. No matter what you did, you could not get the insect to leave on its own.
Finally, imagine the insect was weaponized. The camouflaged, nearly undetectable insect had a stinger that could be used more than once. As you enjoyed the comfort of your home, the insect would sting you and your guests, repeatedly. The threat in this case was so painful, it forced you to bug bomb the entire home to kill that single insect.
So, the insect in this story was highly advanced, it was extremely persistent, and it was a serious threat. Hackers do the same thing. They gain access to your network first; normally by taking advantage of a hole in your defenses. Once hackers gain access, they use advanced tactics to remain stealthy and undetectable. As a result, hackers remain persistent in your network for long periods of time. Ultimately, hackers become weaponized. They gain access to other vulnerable systems in your network. They plant malware, steal data, and use your devices to spread their infections elsewhere.
And there you have it. You have just graduated from the Stephen Gates’ School of Advanced Persistent Threats.
Steve is a key research intelligence analyst with NSFOCUS IBD. He has been instrumental in solving the DDoS problem for service providers, hosting providers, and enterprises in North America and abroad. Steve has more than 25 years of computer networking and security experience with an extensive background in the deployment and implementation of next-generation security solutions. In his last role, Steve served as the Chief Security Evangelist for Corero Network Security before joining the NSFOCUS team. Steve is a recognized Subject Matter Expert on DDoS attack tools and methodologies, including next-generation defense approaches. You can usually find Steve providing insight, editorial, industry thought leadership, and presentations covering the latest security topics at RSA, SecureWorld, SANs, Black Hat, IANS, ISSA, InfraGard, ISACA, etc.