The APT (Advanced Persistent Threat) has popped-up on the radar for many organizations, including those in government, defense or research.  As many of you already know, APT is a type of threat (it is a WHO, not a HOW).  Specifically a highly trained threat that is motivated to compromise your organization, and they have both the time and resources to get in.  One of my favorite resources on APT is Richard Bejtlich @taosecurity. Because APT has become such a threat, organizations are attempting to educate their employees.  But the question becomes, what do you teach them, what behaviors do you want to change?  These are not simple cyber criminals trying to install rogue anti-virus, this is nation-state stuff.  I've been recently working with some APT experts to help answer these questions, this is what we have come up with so far.
  1. Explain The Threat: One of the first key goals is educating people on what APT is and how it is different then your typical cyber criminal.  People need to know and understand that this threat will do extensive research on them, it is highly motivated and creative.  This is especially true for high value targets, such as senior management or IT staff, who may require additional APT training.
  2. Examples: Give examples of successful APT attacks in the past, and examples of how they may try to penetrate your organization in the future.  This is harder to teach then simple cyber criminal attacks, unlike cyber criminals APT may not use a cookie cutter approach.
  3. Make APT's job harder:  Make sure employees understand that any information they post or make public can be used by APT to craft specific attacks against them.
  4. Detection and Reporting: Finally, how to detect a possible APT attack and the importance of reporting it.  Examples could be attachments failing to open, attachments causing an application to crash, or some other odd behavior.  Yes you will get false positives here just as with any other detection control, but if your organization has a low tolerance for risk, this is an acceptable cost for detecting APT attacks in real time.  A great way to improve detection capabilities and reduce false positives is monthly  phishing assessment for training purposes.
If you are educating people about APT, what are your learning objectives, what have you found to work well or not work well?
About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.