Survey confirms AETs are real and dangerous threats

There is some debate as to whether AETs exist, the success of APT malware suggests that AETs are in the mix and in a big way.

Advanced Persistent Threats (APT) are the current bane of information-security professionals. Researchers at McAfee Security, an Intel company, believe they know why. Advanced Evasion Techniques, or AETs, have the ability to cloak communications between the attacker and the APT malware inside the victim's perimeter.

McAfee researchers also believe the advantage afforded the APT/AET combination is enhanced by one or both of the following reasons: either those responsible for network security do not realize AETs exist, or they do not comprehend AETs. To find out what's what, McAfee commissioned Vanson Bourne to survey security professionals around the world, asking the sec pros what they knew about AETs. The survey's top findings:

  • One in five admitted their network was breached ( second source), and nearly 40 percent of those breached believed AETs played a key role.
  • Nearly 40% of IT decision makers did not believe they had methods to detect and track AETs within their organization.
  • More than 60% said the biggest challenge when trying to implement technology against AETs is convincing the board they are a real and serious threat.

Based on the above results, McAfee researchers believe most respondents misunderstand AET technology, and because of that have ineffective security measures in place.

The McAfee report publishing Vanson Bourne's survey results, The Security Industry's Dirty Little Secret, offered another interesting conclusion. The report said, "Because of the debate about the very existence of AETs, hackers continue to use these techniques successfully to exfiltrate information. The longer the industry continues to debate the existence of AETs, the longer businesses will be vulnerable to them."

What is an APT, AET, and what are the differences?

For this discussion, let's define APT and AET. The following APT definition is from the National Institute of Standards and Technology (NIST):

"An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future."


The NIST's definition emphasized an APT's ability to:

  • Pursue its objectives repeatedly over an extended period of time
  • Adapt to defenders' efforts to resist it
  • Maintain the level of interaction needed to complete its objectives

As for AETs, McAfee does not consider them to be attacks per se. The report said, "The bits of code in an AET are not necessarily malicious, they are used to disguise an attack. The danger lies in that AETs provide the attacker with undetectable access to the network."


The report also mentioned how AETs use fragmentation and obfuscation techniques to provide their stealthiness. The McAfee slide above represents how the two techniques combine to cloak command and control traffic from the attackers. Once safely ensconced inside the perimeter, the smaller pieces reassemble, and proceed with the attack. The APT/AET attacks targeting South Korean organizations last July are a good example of this approach. As mentioned in a previous TechRepublic article, McAfee offers a free tool that tests for AET persistence.

For perspective on what all this means, McAfee interviewed John Masserini, vice president and chief security officer for MIAX Options. In this post, Masserini said, "We are no longer dealing with a random drive-by scanner that is just looking for obvious entryways into your network. In today's interconnected world, we are dealing with adversaries who spend weeks or months studying your public-facing network footprint, looking for that one small sliver of light which will allow them to gain a foothold into your networks."

What is the solution?

As for a solution, that's a bit nebulous. If an attack process cannot be defined, or there are those who do not acknowledge the existence of AETs, it's hard to manufacture an effective solution. What does not work, according to McAfee and others, are traditional firewalls. McAfee suggested that any solution used to combat AETs include the following:

  • Detailed, real-time inspection
  • High availability
  • Correlation capabilities and network visibility

Lane Cooper, editorial director at Biz Tech Reports, said, "AETs are the next step in the dynamic and accelerating arms race between malware producers and the enterprise-security community." It seems like a good time to stop debating whether AETs exist or not.


Information is my field...Writing is my passion...Coupling the two is my mission.


Mr. Kassner:

Good piece, but I am underwhelmed by the NIST definition of APT. How can they start out defining the perp before the crime is defined? Better the FireEye definition: "APTs are well coordinated, extended campaigns — whether motivated by financial gain, personal politics, or national interests — intended to achieve an objective against a specific target." (

Second, in general do the APTs defeat/circumvent the logs? It would seem that such surveillance should be detectable by the database logs.

Jeff O'Byrne

Camp Lejeune Branch, Campbell University



Perhaps I'm not up to speed on this in IT. I can see sending bits and pieces of a bomb into a building and having someone inside assemble all the bits together to create a threat, but how do you do the same thing in the computer enviroment without having a program (aka virus) waiting on the inside to receive and assemble and then cause to run this. If you do have a program inside waiting then surely that is the threat and can be detected and removed.

What am I missing, besides the money to be made by security companies securing me against this "imminent" threat?


Thanks to software developers and hardware (switch, router,server, etc) makers who continue to produce porous, vulnerable products, the rest of us - users and IT professionals alike - are forced to endure a perpetual state of war.  Just look at the language used in the above report -  "adversaries", "perimeter", "attackers", "attack vectors", "threats", "command and control",  et cetera. 

Most of us are just trying to conduct our businesses and our lives. We don't put on a helmet and flak-jacket and alter our commute every day to avoid snipers and kidnappers.   But because the high tech industry creates products more full of holes than Swiss cheese, we're forced to do the equivalent of that every time we boot up a computer.


As in the past it seems that layers of protection is the best answer for security:  User education, IT staff education, firewalls, patching (application, OS, firmware, etc), anti-malware, monitoring, securing applications, forensics, etc.

Michael Kassner
Michael Kassner


Thanks for the comment, Jeff. As I mentioned the definitions are numerous and that goes to why the problem is difficult -- something about knowing thy enemy. As for the log spotting the attack, that is interesting, and I will look into it. I suspect that the traffic is so varied that it gets lost in the noise. 

Michael Kassner
Michael Kassner


That is the million-dollar question. I asked the same thing, and apparently the bad guys aren't telling. Also, reverse engineering the programs is underway. I must qualify that I have not been able to second source any of this as of yet.  


Could not agree more. But like all things manufactured today, cars, appliances, electronics and software the designers have likely never worked outside their cubical. The idea of repairing or using for practical purposes is a foreign concept to most and not a consideration when rushing to get things to market. Just think what would happen to computer hardware and software designers if they were held accountable for malicious hacking problems much the way car manufactures are held accountable for safety flaws. I suspect the security holes would cease to exist in very short order.

Michael Kassner
Michael Kassner


I have noticed that the language is shifting to that ilk more and more as well. I am not sure of the reasoning, but am looking into it. 


@Michael Kassner

 Let me clarify my thoughts:  Basically security starts out in one layer and over the years more layers of security are required to stop or slow down the threats.  As the bad guys come up with different threats another security layer (process, technology, etc.) is added or modified.  This is a continuing process that has happened not just with IT security but ever since people have had two conflicting ideas against each other.

In this particular case, a new or modified threat occurs (AETs), it get's identified and a new layer of protection is developed and added.  Which is what I believe Intel/McAfee is stating that they have identified a new threat (AET's) and are providing a solution/response to it.  This adds or modifies one of the layers of protection in security.

And so the cycle continues...


@Michael Kassner @Manitobamike 

I'm sure they would, except for a couple of things,

1. Understanding the problems (there is not a lot of agreement among the pro's)

2. Having a real choice to make. Every auto manufacturer has recalls, every operating system has holes, every piece of software probably has some way of being compromised. There has even been discussion of attacks on programmable pacemakers.

Has anyone even tried in the last 30 years to produce a quality above the rest, I don't think so. Not since VHS won over the superior BETA by price alone. A quick glance at a landfill site will tell you that our society does not build products to last or be repairable.

Editor's Picks