The Adaptive Persistent Threat

Much ado has been made of the “Advanced Persistent Threat”. Unfortunately, pundits look at the ease of some of the attacks, and get hung up on the keyword, “Advanced.” How do we know the adversary is so advanced, if he can succeed using such trivial attacks? The relative skill of the adversary is actually uninteresting; it is his persistence.

Many threat models focus on vulnerability and exposures. This creates an assumption of an ephemeral adversary; one who has a limited toolbox, and will attack at random until he finds an ill-defended target. This leads to planning to simply not be the easiest target (“Do you have to be faster than a bear to outrun it? No, you just need to be faster than the other guy. Or tie his shoelaces together”).

Unfortunately, in a world of persistent threats, this may leave you open to other attacks. Consider the difference between protecting yourself against a random mugging and dealing with a stalker. Even if a stalker is relatively primitive, they will adapt to your defenses, and present a very real threat.

So let’s drop the “Advanced” and replace it with “Adaptive”: the “Adaptive Persistent Threat”. In the face of this APT, unless you know yourself to be invulnerable (implausible), you should worry also about secondary targets. Once the APT has penetrated your first line of defenses, what can they do to you? How do you defend yourself?