APT, Simplistic as 123
The cyber security community has a lopsided understanding of threats.
The cyber security community has a lopsided understanding of threats. On the one hand, the industry has excelled at breaking down and understanding campaigns. First through the Kill Chain and Diamond Model, and more recently with MITRE ATT&CK, there is now plenty of nuance and structure baked into describing cyber operations. Unfortunately, the same cannot be said for understanding threat actors.
The most prominent actors are referred to as advanced persistent threats (APTs) — an ambiguous and often inaccurate term. Many APT campaigns are neither advanced nor persistent. While the GRU possess an impressive capability, it was a simple phishing email that proved effective in baiting John Podesta for example. This selective use of a toolkit does not mean a threat actor is unsophisticated — in fact, it more likely reflects a mature organisation effectively managing its capability. After all, why roll out the nuclear warheads if a water pistol will do? Many have already noted that APT operations are often unsophisticated and I’m not sure how much value can be added by belabouring the point. Instead, I want to explore some of the other implications of the term, as well considering how threats are interpreted in the industry.
Beyond an actor's level of sophistication, the APT term struggles to add value to other important areas of analysis. The incentives of actors, how they have developed over time, and their post-attack strategy are not captured in a structured way. While created for a different purpose (and not necessarily directly transferable to understanding actor characteristics), this is where I really like MITRE ATT&CK due to its segmentation of campaigns into specific TTPs. Not only does it offer a comprehensive coverage of cyber operations, it also provides a common vocabulary for comparing campaigns and spotting patterns. The threat intelligence industry could surely learn from this example in moving towards a more structured approach for examining actors as well.
There are also multiple ways a threat actor can be ‘advanced’. A flexible toolkit with novel and custom-built features might reflect technical sophistication for example. Many Western agencies put a premium on remaining covert, displaying an impressive operational discipline. Conversely, other advanced threat actors might simply not prioritise secrecy to the same extent. While Russian intrusions into US political organisations were not necessarily technically sophisticated, the way stolen data was used as part of a well-executed disinformation campaign nevertheless demonstrated strategic nous. Crucially, states approach cyber campaigns in different ways and this should be reflected in a flexible understanding of what ‘advanced’ means.
States also use cyber operations for different purposes. Indian and Pakistani cyber operations will naturally diverge from Russian or Chinese efforts. Authoritarian states have focused on monitoring their own citizens while others have looked further afield. Not all of this other activity is advanced or even directly comparable with the targeted operations typically associated with APTs. Yet, it should not be ignored or viewed as completely detached. If often feels like the industry only starts to pay attention to a threat actor once it is assigned as an APT — a selective focus that will increasingly neglect an emerging underbelly of operations, particularly as more states begin to invest in developing cyber operations. The work of The Citizen Lab, which focuses on how civil society is targeted, has shown how these broader developments contain important takeaways for the threat intelligence community.
The problems with the APT term touches on a wider issue related to the limited vocabulary used to describe threat actors. While APTs tend to be associated with states, there is also room for improvement with other actor categories. ‘Cybercriminal’ is another example of a catch-all term, describing all those sitting between script kiddies and highly professionalised outfits. The distinctions between actor categories are also blurring. Some non-state groups have now developed an impressive operational capability while financially-motivated state actors (think North Korea) are reminiscent of criminal groups. These broad actor categories might be a useful starting point, yet the industry needs to delve deeper and build more nuanced concepts.
Cyber security is constantly evolving with our understanding of what constitutes advanced in flux. Today’s script kiddie’s could wreak havoc on the networks of the early 2000s while the early APT operations would seem less impressive only a few years later as defences improve. If a threat actor goes quiet, does it become less sophisticated by default given that the intelligence on its capability becomes less impressive? We need to think more deeply about how we contextualise sophistication in the context of its time. This sits as part of a broader issue related to cyber security’s awkward relationship with history. It remains unclear how many of today’s areas are being documented: our understanding of operations and systems; what constitutes sophisticated during a particular time period; how malware has evolved; etc. There is often an assumption that with so much of the discussion in our industry online (whether public talks, industry reports or Twitter spats) that it will be easy for historians to go back in 50 years and understand the thinking of the time. I’m not convinced it’s that simple and we have already seen today’s generation under-appreciate the historical context of infosec. This makes some of the rare efforts that document older campaigns vital.
I also worry that the APT term disempowers organisations — potentially portraying threats and security as overly complex. As already established, many APT campaigns are not sophisticated and even the most disciplined operations can slip up. The cyber security industry would benefit from reflecting on how threats are constructed, who defines them, and the incentives that sit behind these claims. APT is not a neutral term, but one with clear marketing and sales implications. By building up the adversary, we risk mystifying security and portraying it as unattainable. Of course, it is often necessary and useful to explain the sophistication of a threat actor and we certainly should not downplay the very real threats that we face. However, there is also an argument to be as level-headed as possible. As I have discussed before, I believe there is now a firm business case for moving beyond fear-based sales and towards a more measured discussion of the threat landscape.
Despite the challenges raised here, the industry has already made encouraging progress. The drawbacks of the APT term are increasingly acknowledged. Technical analyses of campaigns that might be considered sophisticated often unearth surprising mistakes, errors and failures in execution. A recent Virus Bulletin paper by Juan Andres Guerrero-Saade not only captured much of this thinking, but also proposed a comprehensive framework for capturing the dynamics of actors that brought some welcome nuance.
The cyber security community would also benefit from engaging with topics in the humanities and social science. Philosophy and international relations both have a long track record of building rich conceptual models and have already engaged with understanding actors in numerous ways. A more diverse range of experiences and skillsets can only help threat intelligence develop as an industry.
Despite the limitations of the APT term, there is plenty to be optimistic about. Cyber threat intelligence remains a young and immature industry. While there may be plenty of work still to do, this is precisely what makes it such an interesting space to be involved in.