Home > incident response > It isn’t APT, it is SASPDT – Sometimes Advanced, Sometimes Persistent, Definitely a Threat.

It isn’t APT, it is SASPDT – Sometimes Advanced, Sometimes Persistent, Definitely a Threat.

I’m human (thankfully) and I get irked by simple things at times. Today it due to conversations such as this one:

Them: “That malware wasn’t very advanced, it is just a version of <insert commodity malware here>”
Me: “Interesting. What’d they do with it?”
Them: “Moved laterally to our domain controller, dumped all the hashes, and shipping them out via FTP.”
Me: <silent>

OK, so it isn’t APT, it is SASPDT – Sometimes Advanced, Sometimes Persistent, Definitely a Threat.

“Advanced” isn’t required if they (insert your favorite description of the threat actor) can get into your environment using commodity malware, move laterally and collect sensitive data due to poor security controls, and exfiltrate the data via FTP because you don’t have any DLP in place. Similarly, “Persistent” isn’t required if they can phish their way in at will.

As long as the less sophisticated attacks will work, there is no need for malicious actors to deploy more advanced tools. Why was Stuxnet used on Iran and why aren’t you seeing Stuxnet in your environment? Because the attackers needed something sophisticated to get into the Iranian nuclear program environment but don’t need the same level of sophistication to get into your environment.

I normally don’t get too hung up on the term “APT”. For me, it is a convenient shorthand for “groups of often well funded malicious threat actors who may or may not be state sponsored but who are definitely capable of breaking into most environments and taking sensitive data.” Dismissing an attack because it wasn’t advanced, or because it didn’t come from China, seems unwise to me. If they pose a significant risk to your business, then they’re DT – definitely a threat.

Advertisements
  1. January 22, 2013 at 9:30 pm

    I gotta say, I read this when you first posted it and I keep coming back to it. I think about this at least once a week.. such a great acronym and description. Thanks for getting this into my head.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: