I was working on the final edits of a project on incident management when I decided for the purpose of improving clarity for the reader to insert a footnote for the term APT or Advanced Persistent Threat. I felt I should not assume that the readers of the document would know what an APT is. After all the news was full of examples of the handiwork of APT’s such as Salt Typhoon which were attributed to the malicious cyber activities of a state. Then of course there was the grand daddy APT operation of them all, STUXNET, which caused great mischief in the control systems of a nuclear enrichment facility. I resisted the temptation to just write out the definition of APT off the top of my head. This after all, was a professional work so I searched for a term using the search query of “advanced persistent threat definition” for a start and immediately got a lot of hits. I was quickly disappointed in the definitions of APT found at organisations sites that should have known better.
Close to the top and rightly so was a definition or as it turned out several from NIST. Which the Google hit list page told me that this is a sight that “You visit often.” So, I looked at what list offered and was quite surprised at the offerings for APT definitions. In all the six offerings of APT definitions and quoting from several NIST documents was this phrase:
“to establish and extend its presence within the information technology infrastructure of organizations for purposes of continually exfiltrating information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future;”[1]
I scratched my head and said to myself really now is that all there is to an APT? Was I to offer my audience that has a background in engineering and in the monitoring and control of a process governed by the laws of physics and chemistry a definition that focuses on protecting information? No, I will not mislead my audience and will look for something more comprehensive that will also include language that will address APT activities that target process control and not just information.
Ok, I said, let us try the next hit on the list and followed a link to CrowdStrike which offered its definition. I looked at the sites date and saw that it was last updated on February 28, 2023. I wonder if they did not feel they needed to update that entry considering the bad year they just had[2]. I nevertheless went on and read their definition of APT and I quote the first few lines:
“a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time. An APT attack is carefully planned and designed to infiltrate a specific organization, evade existing security measures and fly under the radar.”[3]
I was surprised again at the focus on theft of “sensitive data” and the environment of its activity being the “network.” Perhaps I was not being fair and only looking at the sites of IT security companies. I then chose to find a site of an IACS manufacturer and searched using the terms “SIEMENS APT definition” and right away I thought I hit pay dirt for the first hit to come up from Siemens was “APT User Manual.” My hopes for enlightenment gave way to more confusion when I read that this was not about the APT I had in mind but instead a manual on how to use one of their fine applications “SIMATIC Application Productivity Tool — APT”[4]. Funny to use that acronym after what an APT most famously did to one of its products.
I changed my search terms and gave Siemens one more try and found something more to the point in the form of a position paper titled “Siemens’ Operationalizing Cybersecurity.” This reference does point to APT activity but lacks a definition and it takes away from the usefulness of the document. For example, it describes one of the threats to be cybercrime (ransomware) which is not often a sign of state activity. The association with cybercrime does not fully map to support their admirable concern for:
“disruption of operations that could result in the destruction of facilities and impact public safety. This trend applies to power plants, water and wastewater treatment facilities, oil and gas installations, automated industrial facilities, food, and beverage manufacturing – in short, private and public enterprises that support civil society and help drive our economy.”[5]
The implications of APT and its consequences are understood but limited to what can be caused by cybercrime, not a state supported operation that targets a power plant, water, or gas installation.
Ok I said to myself. Maybe look at what CISA has to offer in terms of an APT definition. Spoiler alert. Was more disappointed. The US Govt’s CISA defines APT as:
“A sophisticated threat actor, often associated with a nation-state, that has the resources and capabilities to conduct a sustained cyber campaign against a target individual or organization. The APT often spends a lot of time learning about their target before conducting an intrusion to establish an undetected presence in the target’s network. This ultimately enables the APT to surveil the target, steal sensitive data, or conduct other malicious activity over a prolonged period of time.”[6]
And now the great twist: CISA goes on to cite NIST and CrowdStrike for more information about APT’s.
After this non-exhaustive search for a comprehensive definition of APT is it acceptable to conclude that in terms of addressing the malicious activities of states we still have a dangerously limited definition of APT? That the kinds of non cybercrime related threats to the critical infrastructure of states that can disrupt the economy, affect national security, and degrade the well-being of society are off some of our radar screens?
I hope not.
Merry Christmas and Happy New Year!
19 December 2024, Vilnius, Lithuania
[1] https://csrc.nist.gov/glossary/term/advanced_persistent_threat
[2] Steven J. Vaughan-Nichols, 7 Urgent Lessons From the CrowdStrike Disaster, The New Stack, Jul 21st, 2024, https://thenewstack.io/7-urgent-lessons-from-the-crowdstrike-disaster/?utm_referrer=https%3A%2F%2Fenergycentral.com%2F
[3] https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/advanced-persistent-threat-apt/
[4] https://cache.industry.siemens.com/dl/files/951/13839951/att_96400/v1/user.pdf
[5] Siemens’ Operationalizing Cybersecurity, Siemens Industry Inc., page 2. https://assets.new.siemens.com/siemens/assets/api/uuid:94515238-7562-4dd0-b4d3-0de02407707e/di-pa-dcp-rcm-operationalizing-cyber-paper-en.pdf , Accessed 2024-12-19.
[6] https://www.cisa.gov/resources-tools/resources/project-upskill-glossary
