In the wake of the recent Google attack, many news and blog sites have been awash in discussions on APT threats.  But just what is 'APT'? Is it new? Why does it concern us?

APT, or Advanced Persistent Threat, is a term most often used to refer to a particular breed of well-funded, knowledgeable threat agents.  APT's seek to gain stealthy access to their targets for specific objectives not involving notoriety or immediate financial gain.  Several key items set them aside from other threats:

Advanced: The threat has the knowledge and resources to utilize a full spectrum of intrusion techniques, from commonly available malware kits to advanced, custom developed tools and zero-day exploits, to fit their target's security posture.

Persistent: The threat obtains and maintains over time, through interactive monitoring and response, the necessary level of access to the target to achieve their specified objectives.

Threat:  The threat is not mindless, opportunistic malware, but a coordinated, organized and motivated human-driven attack from a group with very selective goals and objectives.

The term 'APT' has been around several years and is generally attributed to the US Military.  However, the concept has been around much longer under other monikers, describing government sponsored cyber-warfare or electronic intelligence gathering on other nation-states.

Increasing evidence, including a congressional advisory panel report detailing cyber-spying on US companies, attacks against the US oil industry, or the Google attack appear to show that concerns about APT are no longer the sole providence of the traditional military/defense complex.  Rather, APT's are now routinely targeting public and private entities where, through theft and use (not sale) of intellectual property, they can gain economic, technical, or political advantage.

From Google's blog:

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted.

A report from Mandiant puts it even more bluntly:

The APT isn't just a government problem; it isn't just a defense contractor problem; and it isn't just a military problem. The APT is everyone's problem. No target is too small, or too obscure, or too well-defended. No organization is too large, too well-known, or too vulnerable. It's not spy-versus-spy espionage. It's spy-versus-everyone.

Most commentators agree that the APT threat is not just traditional industrial espionage - it is better resourced, more virulent and less constrained.  With their focus turning to non-government entities, the changing landscape makes awareness of, and possibly reaction to, the APT threat applicable to us all.

To read more on current APT thinking, check out the following sources (and look for at least one of them at the Secure360°^TM Conference this May):

http://taosecurity.blogspot.com/search/label/apt

http://1raindrop.typepad.com/1_raindrop/

http://blog.mandiant.com/archives/tag/apt