Answering APT Misconceptions

There's finally some good reporting on advanced persistent threat appearing in various news sources. A new Christian Science Monitor story, one by Federal Computer Week, and one by Wired are making progress in raising awareness. Unfortunately, there's plenty of Tweeting and blogging by people who refuse to understand what is happening or are not capable of understanding what is happening. From now on, rather than repeat myself trying to answer these misconceptions, I decided to consolidate them here.

1. Myth 1. APT is a "new term," invented by Mandiant. Reality: Mandiant did not invent the term. The Air Force did in 2006. More info: What Is APT and What Does It Want?


2. Myth 2. APT is "not new." Reality: APT is only new to people who have not been involved with the problem. If you look solely at offender and motive, and exclude defender, means, and opportunity, you're likely to think APT is not new; you'd be wrong. Just performing an Attribution Using 20 Characteristics exercise helps demonstrate that APT is not like organized crime or other structured attackers. More info: Two-Dimensional Thinking and APT


3. Myth 3. APT is "marketing hype." Some companies with little to no experience with APT are clearly jumping on the counter-APT bandwagon, even registering domain names related to APT. That is sad but not unexpected. However, companies like Mandiant are not suddenly releasing reports because of Google v China. Mandiant offered a public Webcast (which I attended) in March 2009 called State of the Hack - Addressing the Advanced Persistent Threat. They and certain other companies have been public about APT for a while, but a lot of people were ignoring them. More info: You Down With APT?


4. Myth 4. APT is a "class of attacker." Reality: Most of the counter-APT community uses APT to refer to specific threats or "threat agents" if you prefer that term. Those threats are associated with a certain country. In some cases, certain counter-APT community members prefer to include other countries with similar capabilities. If required to differentiate during discussions, I prefer to prefix APT with the named country.


5. Myth 5. APT is "FUD." Reality: Fear can be healthy if it helps reallocate resources away from wasteful and ineffective compliance regimes like FISMA. No one I know who fights APT sleeps very well. Regarding uncertainty and doubt, what more do you need to know? Read my post Is APT After You? to get a better sense if you should worry. It's better to prepare your defenses now than to start once a Federal agent comes knocking. More info: DNI Blair Leads with APT as a "Wake-Up Call"

I may add more myths as they appear, but for now those five seem sufficient.

By the way, I appreciate the private communication and public comments from people genuinely interested in learning about this issue. It helps focus my attention away from the critics who refuse to align with reality. It's also clear that many of you understand why I use certain phrases or address this subject in the manner that I do. I am glad those of us with similar backgrounds can at least share in that sense of solidarity. Thank you.