Well, let's not get stuck in the definitional morass of APTs, AETs, and other terms that have at least one foot in the marketing camp, or worry too much about the differences between targeted attacks, targeted phishing, spear phishing, and other angles on angling. (My, I'm in iconoclastic mode this morning.)
Here's something that does worry me (and I speak as someone who spends most of his online time trying to explain why the sky is not falling, which is probably why I shouldn't go for a career in marketing).
RSA; Lockheed Martin; the IMF. Like the hundred or so CSOs who recently agreed that they were under APT siege and that they should share information on attacks, we think of companies and organizations as the attacker's targets. And of course they (and the sensitive data that is their lifeblood) are, at root, the prize.
Increasingly, though, the attacker's initial targeting or primary vector isn't the systems that hold the data, but individuals who can be subjected to a suitable mixture of social engineering and technical attacks such as 0-days built into malicious attachments and links.
For instance, all the federal employees, contractors et al mentioned in the catchily entitled Annual Intelligence Authorization Act Report on Security Clearance Determinations For Fiscal Year 2010. According to the FAS Project on Government Secrecy, using data tabulated in the report, 4,266,091 people held security clearances in the US for access to classified information. (The classifications in the report are primarily Confidential/Secret, Top Secret, though figures for Approved are also given.)
For all I know, every one of those clearances may be essential to allow the individuals concerned to carry out their work. But how many of them have any knowledge of or training in the threat from and recognition of targeted threats. Not, I suspect, over four million of them.
Hat tip to Ian Cook for bringing that item to my attention.
David Harley CITP FBCS CISSP
Small Blue-Green World
ESET Senior Research Fellow
