Is APT the new FUD?

Share this article:
Is APT the new FUD?
Is APT the new FUD?

Advanced persistent threat (APT) is a term with a specific meaning – generally referring to a sophisticated and well-organized cyberattack against a singular entity. These types of attacks are so well-coordinated that the term is generally used in regard to a nation-state or government-sanctioned attack. But, in the security industry, buzz sells, and APT is now becoming synonymous with any form of cyberattack.

In March, RSA announced that it was the victim of an APT attack. Given the stature of the company, the target of the attackers (information to compromise the effectiveness of the company's SecurID line) and the openness of the post-attack investigation, there is little doubt RSA was indeed hit with an APT. But it seems the term now is thrown out any time an attack occurs – and security experts are starting to suggest that companies are hiding under an “APT umbrella” to cover the fact that they have not been following good security practices.

Pete Lindstrom, research director of Spire Security, among others, suggests that APT is nothing more than FUD – fear, uncertainty and doubt – in a different package. Companies have always been embarrassed to admit to a breach – and the term APT absolves them from culpability.

Whether a rogue nation-state is focusing on your company is beside the point – and this is exactly what is missed in this whole discussion. Oftentimes, so-called APT attacks are successful through old-school style attacks, predominantly phishing. This was the case in the RSA incident. While we debate whether APT is an accurate term to describe recent breaches, cybercriminals are laughing their way to the bank. These discussions are important, but it is more important that we learn the lessons of each breach, raise awareness around the vulnerabilities in all of our organization, and find solutions to make sure our data remains secure.
Share this article:

Sign up to our newsletters

More in Features

Case study: Big LAN on campus

Case study: Big LAN on campus

A university rolled out a wireless network, but was hampered with a user-support problem...until a solution was found. Greg Masters reports.

2014 Women in IT Security: Stacey Halota

2014 Women in IT Security: Stacey Halota

When she stepped into the job of vice president of information security and privacy at Graham Holdings Company in 2003, Stacey Halota had to carve out new territory because her ...

What's sex got to do with it?

What's sex got to do with it?

Harassment has no place in the security industry. Neither do sexism or discrimination. But, there they are. It's time for infosec to just say no, reports Teri Robinson.