Advanced Persistent Threats -- Something to worry about or just another buzzword?

In recent months there has been increased discussion in the media about advanced persistent threats (APTs) and even more discussion about how to define an APT. McAfee defines an APT as a "targeted cyberespionage or cybersabotage attack that is carried out under the sponsorship or direction of a nation-state for something other than a pure financial/criminal reason or political protest." Other definitions are more broad describing an APT as a cybercrime category in which the attacker utilizes the full spectrum of attack vectors to reach and compromise the their target. 


Whatever definition is used often is the definition that best serves the main goal of the article or advertisement, which has lead many IT security professionals to put advanced persistent threats in the "buzzword" category. It seems that despite those non-believers almost two-thirds of enterprise information security managers believe their businesses have been targeted by advanced persistent threats and  72% expect to see such attacks continue in the future. These numbers are according to an Enterprise Strategy Group report on  advanced persistent threats. These managers believe that these attacks are being carried out, in order of likelihood, by hacktivist groups such as Anonymous, organized crime rings, competitors conducting reconnaissance or perpetrating industrial espionage, foreign governments, and terrorists.

Whether or not APT is just another catchy acronym we can see that based on the survey results, organizations are responding in the correct way. 51% of respondents said that senior executives have increased the amount of money allocated to training employees on security strategies, 33% now meet more frequently with their Chief Information Security Officer (CISO) or IT risk team and 18% have created the role of CSO or CISO, or another type of senior security position.  The trend of organizations to staff Risk and Security related positions, as direct report positions to the Board of Directors, continues to demonstrate the importance of integrating technology with business process.  Risk and Security of the organization and its critical technology infrastructure (uptime and productivity) and its confidential and sensitive data (GRC, Brand Loss, IP Loss) should be a fundamental to any best-practices organization.   


With the increasing sophistication of the threat matrix, reliance on under managed technologies (AV, IPS, IDS) is simply not enough.  As we continue to build more efficient and open B2B and B2C models, an organization must take into account the context of the information being accessed starting with the roles of people accessing that information, the sensitivity of the information, and the actual use of the information, and enforcement policies.   This takes coordination, via the CISO, of Executives, HR, Legal,  Technology , and Business Unit leaders.