Advanced Persistent Threats: The Mysterious New Ground for Cyber Danger

As the world continues on a path of increased connectivity, control over the cyber domain has become a matter of state security. The sustained loss of wealth in the form of intellectual property theft and financial shenanigans has reached critical mass. As a warning to America, General Keith Alexander, while serving as the Director of the National Security Agency (NSA), stated: “What we need to worry about is when these transition from disruptive to destructive attacks…” He goes on to say: “The conflict is growing, the probability for crisis is mounting.” (Rogin, 2012). In this context, the main danger the “special operations teams” of cyberspace in America is called the Advanced Persistent Threat (APT).

As the APT has evolved into the construct of cyberspace, the prevalent working assumption has been to simply apply technical countermeasures. This techno-centric approach has done little to thwart cyber threats, as the average dwell time to discovery is 206 days (Irwin, 2018). To this end, “technology itself is not a threat – it is the usage made of it that poses a danger.” (Ventre, 2012). In other words, cybersecurity is still a people problem, as much, if not more than, a technical one. Therefore, a more holistic approach is required to understand and mitigate the APT.

The study of cyber-based adversaries, specifically those categorized as APT, is not a well-researched discipline, especially compared to other more popular threats, like terrorism. These two threat actors, APT and terrorism, represent the opposite ends of the spectrum in that APTs are defined by their technology-centric methodologies, whereas terrorists are still largely seen as only slowly embracing technology while still being in favor of “common man” approaches that are predominantly low-tech. However, these groups have more in common when examined with more subtle nuance.

There are significant differences between a terrorist threat and an APT at the tactical level. For example, the manner and type of technology used to conduct an attack, the desired impact of an attack, and their respective stances on attribution. Terrorists tend to quickly claim responsibility while APTs avoid it. That said, at the important strategic level, terrorist and APT groups do have some remarkable similarity. For example, there are six characteristics attributed to terrorism that are shared by the APT. Specifically: asymmetry, cost effectiveness, contributions of loose associations, will to succeed, impossibility to completely defend, and contagion. Interestingly, as terrorists and APTs share characteristics, the non-technical strategies to counter each represent two sides of the same coin. These non-technical strategies to counter consist of: collaboration, partnerships, support of the people/leadership, education, and a better return on investment (ROI).

Collaboration

Collaborative engagement at the state level, designed to solve human issues such as disease control, global water supply, and traffic congestion through cyber means, can reveal insights for counter-threat strategy. The ability to change one’s image of another is, in part, based on familiarity. Further, in working through collaboration, the barriers between in-group and out-group can be broken down by the unified cause of helping the greater good. This shared mission can create a bond and work toward changing the group dynamics that currently seem too often adversarial.

Partnerships

“Alliance requires more meaningful interaction as opposed to mere verbal support or ideological affinity.” (Horowitz and Potter, 2014, p. 201). The identification of partnerships is critical in expanding a sphere of influence to thwart the efforts of APTs and terrorists. Making headway against the problem increases exponentially with substantial partnerships. Partnerships dedicated to combat these threats can enable Social Network Mapping as a means to identify threat group relationships. (Johnston, 2005) Insight into these groups and their associative relationships can change dynamics and “predict the type of attacks groups are likely to launch”. (Horowitz and Potter, 2014).

Support of the People / Leadership

One way to help gain trust of the people is through outreach and counter-messaging following a successful attack. “Pervasive messages, therefore, by politicians, the mass media, or other individuals could emphasize value similarities or differences between the ingroup and the outgroup and consequently influence peoples’ threat perception.” (Garcia-Retamero, et al., 2012) Similarly, the establishment of trust is fundamental for change. “We argue that trust is essential in intergroup behavior because unlike attitudes, trust implies a willingness to engage in behavior that has potential costs.” (Kenworthy et al., 2016) This is equally true for recruitment into criminal enterprises as it is for obtaining the support of the people. It is imperative to create trust, while creating distrust for the threat group. “The challenge of effective intergroup leadership is a microcosm of the wider problems of reconciling intergroup differences and building social harmony from group conflict.” (Hohman et al., 2009) This can serve to change the image of the counter-threat group and the self-image of its members amongst the people at large, which can increase overall strategic effectiveness and societal acceptance.

Education

The presentation of a counter-message is important in creating doubt and changing minds. An often overlooked aspect of counter-messaging is ensuring that the messaging is targeting the same people that the APT and terror groups are focusing on themselves and understanding why those messages might be attractive to those groups. The counter-message must use this baseline to provide meaningful alternatives that resonate with target audiences.

Social media is critical in combating both types of threat groups, as it is the only medium that can effectively but indirectly trigger relevant emotions and feelings. Notably, not only the imminence of an event may be predicted through this analysis but something as subtle as the willingness of an individual to join a threat group as well. The biggest potential power of social media then is to model behavior, predict outcomes, and intercede with the appropriate messaging to alter the course of action.

Economic Well-Being

There is at least some evidence that economy disparity sets the conditions for increased cybercrime. (Watters, et al., 2012) In this context, economic disparity can be a driver for political action, leading to cyber espionage as a means to counter-balance market competition, military prowess, and offset research and development costs. That said, there are conditions in which the economics of committing a crime can be such that it can serve as a deterrent. In the case of APTs and terrorists, given their relationship with the state and anti-state ideologies, deterrence will not stop them. It can, however, make it costlier and slow their pace.

In a world of increasing complexity and unparalleled connectivity, APTsstands at the top of the threat list. As an extension of technology, they cannot be mitigated by technical measures alone. But through non-technical factors that provide a greater understanding of the leaders and people that control and comprise an APT and by encouraging collaborative innovation across multiple national security agencies/disciplines, a more holistic approach can be made apparent and more effective deterrence strategies can emerge. Failing to do this simply means states will always be playing catch-up against persistent adversaries like terrorists and APTs.

Al Lewis
Al Lewis
Al Lewis is currently a doctoral candidate in Global Security in the School of Security and Global Studies at the American Military University. He currently oversees the Cybersecurity Operations Center of Boeing, the world’s largest aerospace and defense company. Before that he served the United States of America as a Special Agent in the Secret Service.