The APT (Advanced Persistent Threat) has popped-up on the radar for many organizations, including those in government, defense or research.  As many of you already know, APT is a type of threat (it is a WHO, not a HOW).  Specifically a highly trained threat that is motivated to compromise your organization, and they have both the time and resources to get in.  One of my favorite resources on APT is Richard Bejtlich @taosecurity. Because APT has become such a threat, organizations are attempting to educate their employees.  But the question becomes, what do you teach them, what behaviors do you want to change?  These are not simple cyber criminals trying to install rogue anti-virus, this is nation-state stuff.  I've been recently working with some APT experts to help answer these questions, this is what we have come up with so far.
  1. Explain The Threat: One of the first key goals is educating people on what APT is and how it is different then your typical cyber criminal.  People need to know and understand that this threat will do extensive research on them, it is highly motivated and creative.  This is especially true for high value targets, such as senior management or IT staff, who may require additional APT training.
  2. Examples: Give examples of successful APT attacks in the past, and examples of how they may try to penetrate your organization in the future.  This is harder to teach then simple cyber criminal attacks, unlike cyber criminals APT may not use a cookie cutter approach.
  3. Make APT's job harder:  Make sure employees understand that any information they post or make public can be used by APT to craft specific attacks against them.
  4. Detection and Reporting: Finally, how to detect a possible APT attack and the importance of reporting it.  Examples could be attachments failing to open, attachments causing an application to crash, or some other odd behavior.  Yes you will get false positives here just as with any other detection control, but if your organization has a low tolerance for risk, this is an acceptable cost for detecting APT attacks in real time.  A great way to improve detection capabilities and reduce false positives is monthly  phishing assessment for training purposes.
If you are educating people about APT, what are your learning objectives, what have you found to work well or not work well?