An Advanced Persistent Threat (APT) is a type of cyberattack that is carefully planned and designed to infiltrate a specific organization, evade existing security measures, and remain undetected for an extended period of time. APTs are usually initiated to steal data rather than cause damage to the target organizations network. Adversaries behind APTs are typically well-funded, experienced teams of cybercriminals that target high-value organizations. They’ve spent significant time and resources researching and identifying vulnerabilities within the organization. APTs are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized, and well-funded. APTs are a threat because they have both capability and intent.

The goals of APTs fall into four general categories: Cyber Espionage, including theft of intellectual property or state secrets, eCrime for financial gain, Cyber Warfare, including disruption of critical infrastructure, and Hacktivism, including political or social activism. APTs are usually assigned names by their discoverers, though many advanced persistent threat attacks have been discovered by more than one researcher, so some are known by more than one name. Most APTs are carried out in multiple phases, reflecting the same basic sequence of gaining access, maintaining and expanding access, and attempting to remain undetected in the victim network until the goals of the attack have been accomplished.

Businesses holding a large quantity of personally identifiable information are at high risk of being targeted by advanced persistent threats, including agriculture, energy, financial institutions, healthcare, higher education, manufacturing, technology, telecommunications, and transportation. Traditional security technology and methods have been ineffective in detecting or mitigating APTs. To prevent, detect, and resolve an APT, you must recognize its characteristics. Most APTs follow the same basic life cycle of infiltrating a network, expanding access, and achieving the goal of the attack, which is most commonly stealing data by extracting it from the network.