I posted a response to a Securosis blog post where they say this:
There’s a lot of hype in the press (and vendor pitches) about APT — the Advanced Persistent Threat. Very little of it is informed, and many parties within the security industry are quickly trying to co-opt the term in order to advance various personal and corporate agendas. In the process they’ve bent, manipulated and largely tarnished what had been a specific description of a class of attacker.
My response may show up sometime soon; in the meantime, here is what I said:
Excellent comments above. I agree with most here and just wanted to relate an interesting experience and three points about APT.
Some government officials met with me after my talk on security breaches at RSA 2010 in San Francisco. They laughed at me and said the word/acronym APT is hyped too much and misunderstood. They also gave me the “we know far more than anyone else about what is really going” story. I held back from being a smart-ass about all this posturing nonsense and instead asked for details.
First, I say worry less about use of language and words like APT. Clarity and understanding has a place/time — like a meeting where action is required. Public discussion is not that time. Absolute accuracy in language/definition during general conversation is really a straw-man argument — attack of a phrase or word instead of substance being put forward. We also could get upset about misuse of the word too versus to, the word hacker, the phrase critical infrastructure, etc. but open communication is never really clean. If you say car, you could mean just about anything, yet no one gets upset about car. Words get “bent, manipulated and largely tarnished” yet language works amazingly well. Cool, no? Or should I say that it’s hot? Move along please. If you struggle with APT you will really have a hard time with cloud.
Second, I agree completely that sharing APT info is better but I have seen two reasons used for controlled disclosure instead of openness.
A) Power and politics unfortunately sneak into this. The relatively immature and open field of play in Washington gives an incentive for sparse and sometimes unverifiable disclosures. Releasing information in a limited fashion can create a dramatic influence over the hill. Was it coincidence for example that during the debate regarding control and leadership for cybercommand the WSJ released a story that spies have infiltrated the US energy sector? A totally open discussion would not have had the same effect — reporters might have come to a different conclusion. Civilian leadership will lose control if the military and intelligence communities do not have more open discussion with them. Classic political science.
B) There is some chance that disclosure during an ongoing investigation could compromise its success. Only after the investigation is over should be made open to study. The questions are who gets to decide when a case is closed and how much should they share to whom? The guys I spoke with said they’ve been watching APT for over ten years. We talked about a few case examples and I realized they are stringing everything together — they would say the case is always open. I disagree with them in principle but more importantly I do not have any authority to make them close a case, disclose, and start new ones. I also can not easily parse who they trust and who they fear.
Third, check out the HTCIA. The audience for my presentations at the International Conference were almost all Peace Officers, Investigators and Prosecuting Attorneys. Discussions were less theoretical and more case/fact-based than your usual group. It’s a great place to share information on real attacks with fellow security professionals.