I participated in a Stuxnet panel put on by Industrial Defender earlier today. ID need a great job organizing it, and I thought Patrick Miller’s summary at the beginning was perfect for someone wanting to get a quick understanding of Stuxnet. I’ll blog more thoughts on the panel and questions that can’t be answered when the replay link is up.
However I did want to jump on the APT issue because the control system security community is in danger of falling into the same trap as the IT security community. APT is a threat actor, not a sophisticated piece of exploit code. The P=Persistence in APT is the key. A skilled threat actor who diligently works to maintain control and access in a network is an APT. It is characterized by varied and multiple exploits, some active and some dormant. I’m trying to channel Bejtlich here.
Just because Stuxnet has some SCADA intelligence and involved a 0-day does not mean an APT threat actor is responsible. Where is the evidence of an effort to achieve persistence? Every sophisticated directed attack is not APT. Now I blogged earlier questioning if this was only part of a directed attack and other different exploits remain on any targeted networks after they clean up Stuxnet. This could be an APT threat actor, but there is no evidence of this yet.
The reason I’m beating this drum is APT can be a very useful way of describing a type of threat actor we need to be concerned with in the critical infrastructure. If every attack with SCADA intelligence is called APT, and the community starts to look for products to stop an “APT attack” then the term just becomes equivalent with a talented attacker or sophisticated attack.