What the APT vs. ATA acronym battle means to administrators

Whether the industry calls it an Advanced Persistent Threat (APT) or Gartner calls it Advanced Targeted Attack (ATA) doesn't really matter. What matters is the devastation an APT or ATA can cause in an enterprise.

It's no secret that threats are growing in persistence, increasing in stealth and evading the latest malware technologies. Simply put, the advances in persistent threats are now able to break through the gauntlet of firewalls, intrusion prevention systems, anti-virus applications and anomaly detection systems in use by most enterprises today.

The IT industry has come to call these latest attacks Advanced Persistent Threats (or APTs), while analysts at research giant Gartner have come to refer to those assaults as Advanced Targeted Attacks (or ATAs). Corey Nachreiner, director of research and security strategy for firewall vendor WatchGuard, explained what an APT is. Nachreiner said, "APTs combine persistence with advanced zero day techniques to target a certain individual, organization or government agency". Nachreiner said, "APT attacks are designed with a criminal activity in mind, either to disrupt business operations or gain access to financial information.

Can APT attacks be stopped

With those nefarious goals in mind, it becomes easy to see why cybercriminals are turning to APTs to leverage what should be protected information. APT based attacks have been behind some of the largest compromises of late, such as the theft of millions of credit card accounts via the Target breach, to the Gauss attack, which targeted banks in Lebanon to steal bank account information. Other examples of successfully deployed APT attacks include Stuxnet and Flame, which both leveraged zero day exploits and created millions of dollars of damage to the targeted organizations.

The rise in APT based attacks creates a major conundrum for those responsible for IT security, effectively creating a troublesome question; "can APT attacks be stopped?"

There's no easy answer

While there is no easy answer to that question, protection technology is quickly evolving to limit the success of a carefully executed APT attack. That technology comes in the form of APT prevention systems, which are layered upon other security technologies.

However, those protection systems must deal with what can be considered a complex, professionally engineered attack. The typical APT attack combines elements such as spear phishing, watering holes and chains-of-trust compromised to deliver a stealthy payload. A payload specifically designed to be hard to detect and employ evasion techniques, such as time delayed execution.

APTs are often successfully because there are no known signatures or other identifiers, which make it impossible for signature based solutions to detect the payload or defined activity. That said, vendors are now turning to sandbox system emulation to try to identify the threats. WatchGuard, for example, uses a cloud-based virtualization system to create an emulated environment that can analyze suspicious files to detect APT activity.

Those emulated environments trick the payload into thinking it is running on an actual system, allowing the payload's activity to be identified without putting an actual system at risk.

For administrators seeking to limit the impact of APTs, a layered security approach that culminates in sandbox based emulation and detection will become a must have.