Word Notes 3.16.21
Ep 41 | 3.16.21

APT (noun)


Rick Howard: The word is: APT.

Rick Howard: Spelled: P four advanced, P for persistent, and T for threat.

Rick Howard: Definition: An acronym for advanced persistent threat to describe hacker groups or campaigns normally but not always associated with nation state cyber espionage and continuous low-level cyber conflict operations.

Rick Howard: Example sentence: Some cybersecurity experts have recently said that the APT actors have devolved from "fine dining to fast food."

Rick Howard: Origin and context: In the early 2000s, the US military began to notice cyber attack campaigns against their networks that were a cut above the run-of-the-mill script kiddie attacks, web defacement operations, and low-end cyber crime that they typically blocked as a matter of course. These campaigns had a larger purpose nation state cyber espionage and the groups behind them had a repeatable methodology that they used over and over again. The military eventually determined that the attacks were coming from the Chinese government and collected all of that activity under the then-classified code name TITAN RAIN. By 2006, when the government realized that they needed to cooperate with the commercial sector in order to defeat cyber adversaries, they required a way to convey the ideas behind TITAN RAIN to people without security clearances. A US Air Force colonel by the name of Greg Rattray started using the generic name Advanced Persistent Threat, or APT, in non-classified spaces, and the name stuck. When Colonel Rattray coined APT, it was an unclassified version of the code name TITAN RAIN, meaning that it stood for Chinese cyber espionage attacks. Over time, the definitions started to expand to include any nation state's cyber espionage operations like Russia, the US, North Korea, and Iran. Recently, pundits started using it to refer to any operation: crime, espionage, hacktivism, and continuous low-level cyber conflict where the attacking group lingered in the victim's networks for long periods of time undetected, the persistence part of the acronym. Since 2018, these hacker groups have been lingering from anywhere between 30 days to over three years in some cases. In truth, the definition of APT is all over the map. If you're describing hacker groups, the CyberWire recommends that you stay away from this label and use other more precise language. For example, instead of saying the Chinese APT say the Chinese cyber espionage group Keyhole Panda.

Rick Howard: Nerd reference: Dave Bittner, the host of the CyberWire's Daily Podcast interviewed Dr. Gregory Rattray, now retired from the military and currently the co-founder and CEO at Next Peak. Dr. Rattray had this to say about coining the APT acronym.

Dr. Greg Rattray: I was the head of what's called the operations group of what was then the Information Operations Center, Information Warfare Center. We had been experiencing what at that time was treated as very sensitive information. And there was a decision made to bring in people from a lot of our primary Air Force contractors to talk to them about the nature of the cybersecurity concerns we had. And we wanted to do that in an unclassified fashion with the CISOs and the CIOs of these companies. So it led to, you know, preparing a presentation. I coined the term "advanced persistent threat" really just to create a construct for a conversation about what was different and the nature of what we were experiencing now from these sort of one-off hacking incidents. That was an Air Force term which turned into a DoD-wide effort to partner with the defense industrial base, which still, you know, is a major element of DoD relationships with its contractors. And in those conversations, we sort of went to this sort of introductory conversation we had had and kept using that terminology, APT. Right. You know, and that sort of got out, I think that the collaboration was there and people started to report on it. and then the conversations people kept using that term. So I think it was sort of through those origins that the term took root.