Not all malware is an APT, or is it?

As you’ve no doubt read, there is a lot of discussion in the media regarding malicious software threats such as Flame, Gauss, Zeus, ZitMo, Blackhole, Duqu and even still, Stuxnet.

It can be challenging to distinguish between how the issues may or may not relate to each other. Additionally, it doesn’t help that many media outlets have been discussing these threats in the context of Advanced Persistent Threats (APTs), without justifying how they derived the classification.

Wait, but it’s all just malware, right? APT is malware, yes? To defend against this malware we patch our systems and update our anti-virus signatures, right? No, no, no and NO.

True, these issues center on specific pieces of malicious software and are advanced, pervasive and represent significant threats. Yet these issues vary so much that they cannot be safely grouped into the same category so that a single solution can be pulled off the shelf to combat them. Solutionary’s view into the malware samples we have identified has helped us to conclude thatmore than 60% of mass distributed malware goes undetected by current anti-virus solutions. The key word being “mass distributed”. The detection rate for “targeted” malware (i.e. potential APT) is less then 10% by most anti-virus vendors.

In one of his recent posts, my colleague Jeremy Scott used the term ‘sophisticated attack toolkit’. He also used the term Remote Access Trojan (RAT). If you’ll notice, there’s a term he did not use - ‘Advanced Persistent Threat (APT).’

So what’s the difference? Are we simply calling a ‘rose’ by another name?  No.

Sophisticated attack toolkits are a set of advanced, modularized software used in various stages in the effort to compromise target systems. RATs are but a piece of that puzzle. So where does APT come into all this? Let’s take a step back.

Advanced Persistent Threats (according to original definitions) are most accurately described as a group of attacks performed by ‘actors’ (meaning people). The attacks performed by these actors have the attributes of being highly sophisticated, structured, coordinated and determined to compromise a target network, organization or government. In short, APTs are the individuals or group of actors who use any number of strategies and tactics to meet such objectives.

Attacks considered to represent an APT have been aimed at specific people or organizations and have had very little technical attributes in order to be successful. Other such attacks have been highly technical in nature but were no less focused on very specific objectives.

True, patching your systems and software will help reduce the impact of the latest variants of sophisticated attack toolkit-borne malware. Not being a target of opportunity is always worth the effort.

As an example, let’s discuss how social engineering can be used by an APT as part of the effort to compromise a potential target(s). When carrying out their attacks, determined and focused actors (potential APT) could very well use a sophisticated attack toolkit to send a malicious email or SMS message that allows them to steal access credentials or other sensitive data. Then again, they might just use ‘pretexting’ to convince their intended victim to use the USB thumb-drive they’ve just been handed, or walk off with the victim’s smartphone. Social engineering, in all its forms, is just one of many potential tactics in overall strategy used, and there are many strategies.

The point? APT is not just some piece of software. Advanced Persistent Threats are the individuals behind the attacks. So, when responding to an attack (potential or materialized), one must not only consider the tools and tactics used, but must also consider the potential actors involved, their strategies and potential objectives.

For additional details about some of the capabilities of APTs, please download the Solutionary white paper, “Defending Against Advanced Persistent Threats.”

See how Solutionary managed security services based on the patented ActiveGuard® service platform combine security intelligence and expertise to provide visibility, threat detection and event response.