The Advanced Persistent Threat (APT)

We’ve discussed Phishing, Spear-Phishing, Ransomware, and other threats to small-to-medium sized organizations here, but there is another, perhaps more insidious threat to be vigilant about, called the Advanced Persistent Threat, or APT.

Advanced Persistent Threats (APT) go beyond the typical malware threats or other types of intrusion threats that could lead to data loss.  There is the old story about two people being chased by a bear.  One of them says that he doesn’t need to outrun the bear, he just needs to outrun the other guy.  This is often the approach that organizations take to protecting themselves against hackers and other threats.  They take the position that their defenses do not need to be the best, they just need to be better than other targets similar to them, in the hopes that an attacker will give up on them and move on to someone easier to attack.

Being better protected than the next guy or target does not work with APT’s.  With an APT, you are the target, and the attacker will spend extraordinary time and multiple methods to gain access to your systems.  Theyaren’t going away soon nor interested in your neighbor.  Symantec says that the attackers in an Advanced Persistent Threat use multiple means to “break into a network.”  The goal is to “harvest valuable information over the long term” (Symantec, n.d.).  The attackers in an APT, once inside an organization’s network, may stay inside for a long term or until detected, if ever.

Symantec explains that the APT attackers spend time performing reconnaissance on their chosen target, then during their attempts to gain access, they use social engineering to deploy malware to “vulnerable systems and people” (Symantec, n.d.).    Symantec says that once inside the target network, that the attackers stay “low and slow” to gather more information and avoid being detected.  FireEye says that the malware, once inside, communicates with Command & Control servers controlled by the attackers (FireEye, n.d.).  FireEye goes on to explain that the malware inside the target network continues to collect data that it sends to a “staging server” and exfiltrates data while under the “full control” of the attacker.

Sometimes Advanced Persistent Threat actors employ non-typical malware deployment methods.  In 2008, a foreign intelligence agency left USB flash drives in the parking lot outside a US base, in what is known as a “candy drop.”  Sure enough, a soldier decided to pick one up and take it inside and plug it into a computer on the US Central Command’s network, uploading a worm that became one of the worst breaches of US military computers in history, known as Operation Buckshot Yankee (Singer & Friedman, 2014).



Advanced Persistent Threats: How They Work | Symantec. (n.d.). Retrieved September 08, 2016, from

FireEye. (n.d.). Anatomy of an APT (Advanced Persistent Threat) Attack | FireEye. Retrieved September 08, 2016, from

Singer, P. W., & Friedman, A. (2014). Cybersecurity and cyberwar: What everyone needs to know. New York, NY: Oxford.