What is advanced persistent threat? Explaining APT security

October 1, 2021  |  Mark Stone

This article was written by an independent guest author.

As the threat landscape evolves faster than we can keep up with, organizations must be aware of the type of threats they may face. Certain threat types, like ransomware and malware, are more prominent and therefore must be fought with the appropriate resources. On the other hand, some threat types are not prevalent and pose significantly less risk.

However, just because a specific threat isn’t as widespread does not mean we shouldn’t take it seriously. 

Advanced persistent threats, for example, are not as common for most organizations. But due to their severity and complexity, advanced persistent threats can be much more crippling to your company. These types of high profile, high impact attacks will only increase as more hacker enthusiasts respond to the lucrative incentives of ransomware payouts.

Defining Advanced Persistent Threat (APT)

At its simplest definition, an advanced persistent threat (APT) gets its name because it is advanced, it is persistent, and it represents a threat to the targeted organization. The term typically describes an attack campaign in which the attacker (or more commonly, a team of attackers), establishes a targeted, prolonged presence on a network with the intention of stealing highly sensitive data.

Criminals who launch APT attacks choose and research their targets very carefully; victims are typically large enterprises or governmental networks.

Ramifications stemming from an APT are not limited to data theft. While most APT attackers come away with intellectual property and private employee and user data, consequences can include sabotage of critical organizational infrastructures and in some cases, complete site takeovers.

What’s most concerning about APT attacks are what — and who — is responsible. Typically, attackers are teams of experienced cybercriminals with significant financial means and support. Some APT attacks may even be government-funded and nation-state actors.

APT vs. a standard breach

Compared to traditional web application threats, advanced persistent threats are much more pernicious.

Here’s why:

First, as mentioned above, they are much more comprehensive.

While most common attacks are modeled after the “spray and pray” method to catch as many victims in one fell swoop, APTs linger on target networks as long as possible to steal the crown jewels and more.

With those types of hit-and-run attacks, many functions are automated. APT attacks, on the other hand, are meticulously and manually orchestrated against a specific target.

Perhaps what’s most concerning is the fact that the goal of APTs is to take over your entire network. Attackers often begin with common attacks like SQL injection and cross-site scripting to gain a foothold in their victim’s network. Then, using trojans and backdoor shells, they can widen their reach to strengthen their position of breaching the perimeter.

Progression of an attack

APT attacks are carried out methodically and typically follow five specific steps.

Here they are:

Gain Entry
Hackers first find a weak spot or vulnerability on your network to sneak in.

Establish a presence
To allow lateral movements within your network, attackers invoke malware or trojans with tunnels and backdoors to keep them present and undetected. Once inside, they can even cover their tracks.

Gain stranglehold
Once network presence is established, hackers can compromise authentication credentials to gain administrator rights for even more access.

Move Laterally
With complete control, attackers may try to move around as many network segments as possible, expand the attack, and increase the severity.

Stay inside and continue discovery
When attackers are inside the system for long periods, they are well-positioned to perform enough analysis to determine your network’s inner workings and vulnerabilities. If undetected, they can stay until they get what they want; or worse, remain inside indefinitely.

How businesses can defend against APT

To properly detect and protect against APT attacks requires full-scale cooperation from almost everyone in the organization, including IT staff, individual users (essentially all employees) and third parties like security providers. Most methods will involve your IT staff but without buy-in across the entire organization, the risk of a successful APT attack increases.

Access control and user awareness
Attackers know that your employees are the weakest link in your cybersecurity chain and that the human element is always vulnerable. Many large-scale attacks begin when an employee is either unknowingly compromised, careless or malicious.

Conducting a comprehensive review of both type and level of network and application access for everyone in your company goes a long way in preventing attacks. Implementing a zero trust model wherever possible is recommended.

Ultimately, if your employees have a security-first mindset and understand the threats, many APTs can be prevented. A robust security awareness program in which training is consistent and engaging is critical.

Monitor network traffic
With visibility into outgoing and incoming traffic, you’ll be able to know when unusual network behavior occurs and can alert the right parties.

Use web application firewalls (WAF) and network firewalls
Typically installed at the edge of your network, a web application firewall (WAF) filters traffic to web application servers, one of the more vulnerable parts of your attack surface. WAFs can help identify and thwart application layer attacks (like SQL injection), used in the initial attack phase. Network firewalls can provide a more granular view of internal network traffic and alert you to any abnormalities like unusual logins and large data transfers.

Application and domain whitelisting
While not foolproof, whitelisting allows you to manage which domains are accessible from your network or control which applications can be installed by employees. Whitelisting is effective when other best practices (listed below) are followed.

Any critical endpoints should utilize two-factor or multi-factor authentication (2FA or MFA), which requires a second verification step. That extra step can prevent hackers from further infiltrating your network.

Other best practices:

  • Maintain backups! One overarching control that can be applied to help prevent long-term damage from a ransomware attacks is a strong backup program. An effective backup program can minimize damage from ransomware and enable swift recovery.
  • Patch, patch, patch. Update vulnerable components and software for vulnerabilities as often and quickly as possible.
  • Encrypt remote connections whenever possible.
  • Deploy advanced email filtering to prevent phishing attacks and test employees with phishing drills.
  • Log security events and review often to strengthen security policies.

Just being aware of the potential for an advanced persistent threat and the harm it can cause is important. Hopefully your organization is never victimized.

But in the event of an attack, the ability to respond quickly is critical. AT&T Cybersecurity cyberdefense consultants can help lead an investigation or supplement your internal cybersecurity team to help quickly respond to attacks and mitigate impact.

You can also take advantage of a 30-day free trial that combines AT&T's Cybersecurity Consultants' expertise with a portfolio of vulnerability management solutions.

Share this with others


Featured resources



2024 Futures Report