Familiarity Breeds Contempt: APT Edition

3(ish) months and a security conference later...

Oh good you think to yourself, another lame vendor report about EMPEROR PENGUIN. You read the first two or three (That one from the one AV vendor was especially good) but EP is kinda lame now. Sure you have the “FEAR THE PENGUIN!” t-shirt you got at that conference but you’re not really concerned about EMPEROR PENGUIN. They don’t even attack your sector and even if they did they’re just a bunch of noobs: they have terrible opsec, their “malware” is just a bunch of Powershell scripts, and they reuse infrastructure all the time. Yeah, they’ve breached some stuff, but they’d never get into your network. Not even worth thinking about. Just some skiddies.

Source: izquotes.com

The Advanced Persistent Threat Hype Cycle

If you’ve been around the incident response/threat intelligence world long enough you’ve no doubt experienced this cycle for yourself. Here’s the breakdown:

  • Phase 0— Unknown: The phase attackers would love to stay in forever when no one has even heard of them. This is largely during their preparation phase and initial stages of their campaigns, before the victims have noticed anything.
  • Phase 1— Mystery: This is immediately after the adversary has been detected by a few lucky, skilled, or connected victims. They’re only actually known to those who worked the investigations and maybe mentioned to third parties but without generally available technical details. People know something happened, but very little about what happened, and the responders who actually do know are still being tight lipped. Depending on details and the opinions of the responders the view of the adversary may range from extreme concern to minimal worry.
  • Phase 2 — Awareness: The real secret squirrel phase this is where the mailing lists and Slack channels start talking and sharing information. At this point the information starts to both expand (as context is added) and corrupted (as people make incorrect correlations). New investigations start, new compromises are discovered. Victims start sharing how advanced the adversary is. Generally speaking the adversary is considered pretty scary at this stage, as details are still being sussed out and people always assume the worst.
  • Phase 3 — Publicity: The first blog posts start coming out, either by victim organizations or vendors (often vendors on victims “behalf”). The first real technical details emerge. Victims and vendors tell horror stories, either to assuage guilt over compromises (for the victims) or sell more of their solution (for the vendors). Companies & organizations who weren’t aware during Phase 3 quickly try to become aware. If they’re vendors they release follow on reports, based on real or imagined insights in their data. Adversary esteem is at an all time high.
  • Phase 4 — Condescension: At some point though publicity curdles like spoiled milk. Maybe it’s too many vendors, too many t-shirts, victim false positives, it’s hard to say exactly but the mood changes. Rather than focusing on the advanced traits of the adversary the outsiders, generally those who became aware during the publicity phase, start focusing on all the reasons the adversary is… well… bad at being an adversary. They focus on shortcomings in capability, infrastructure, and operational security. Respect for the adversary, rising slowly but continuously during phases 1–3, suddenly starts declining and craters.
  • Phase 5 — Respect: Here’s the rub. After getting called out adversaries take a few different tactics: go to ground and hide temporarily, change TTPs, go to ground for good, or accelerate their operation timeframe. If it’s the two former options (go to ground or change) then in many cases the adversary regains much of their lost respect, seen as a long term adversary and thus . If it’s the latter two approaches then the adversary respect stays low, viewed as lucky for the things they did right and derided for mistakes they made.
Original Graph based on the Uncanny Valley

Respecting Your Adversary

This graph leads us to two important concepts:

  • Don’t buy into the hype! A lot of folks will try to blame this sort of issue on vendors, but honestly everyone in security is culpable. We all peddle FUD when it suits us. Make sure you understand the information providers incentives and objectives. AV companies do great research, but they want to sell software. Consulting firms can share good information, but it’s to get you go call them next breach.
  • Gather your own information & generate your own intelligence. Take the time to gather and evaluate data for yourself. Context always matters so unless a product is built for you it’s not intelligence to you, it’s just information.
  • Be realistic about your own threat model. Worrying about the flavor of the month adversary should rarely be a thing. If you’re a hospital banking trojans aren’t worthy of much concern. Conversely malware aimed at medical devices shouldn’t scare the average bank.
  • Strive to be objective about the adversaries you need to focus on. Gather your information, determine who you need to worry about, and generate your own intelligence focused on an objective, contextualized, and realistic understanding of the adversary.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Scott J Roberts

Scott J Roberts

Network Defender, developer, speaker, writer, author of O’Reilly’s Intelligence Driven Incident Response, & SANS instructor. Bad guy catcher.