What is an Advanced Persistent Threat (APT)?

Cyber-criminals look for the easiest way to make money: phishing, ransomware, exploiting a known vulnerability. But what if an attacker was motivated to use multiple attack methodologies, including zero-day exploits, to gain access to your systems? What if the goal was to harvest your data for as long as possible without you knowing about it?

Welcome to the world of the advanced persistent threat.

What is an APT?

APT attackers employ their hacking expertise across multiple operational phases that can take months to deploy. Importantly, the aim is to achieve this totally clandestinely to allow for persistence. That is, “a continued or prolonged existence”.

APT groups are highly resourced, be that as established organised crime operations or with the backing of nation-state funding. Indeed, some APT groups exist within military intelligence units.

The ultimate purpose of an APT attack can be data theft, stealing intellectual property or surveillance of one government by another.

Who is at risk from advanced persistent threat?

Given what I’ve already stated, it would be easy to think that the targets of APT attackers fall solely into those specific camps: government/military and large commercial/industrial enterprises. While these may well be the ultimate target of an APT operation, smaller businesses and individuals are often used to reach them.

This means any business that may form part of a supply chain or individuals who may have the credentials to help gain access to systems along the way.

A typical APT attack will consist of the following operational phases:

  • Reconnaissance: recon of the ultimate target, supply chain and individuals to look for vulnerabilities that can be exploited.
  • Compromise: gain initial access using methods such as targeted phishing campaigns, custom-coded malware and the exploitation of known vulnerabilities.
  • Lateral movement and access security: move through networks to extend their presence within an organisation while securing these access routes in case any single breach is discovered and closed off.
  • Exfiltration: how long this takes will vary, but ultimately the required data will be acquired and stealthily exfiltrated in a manner that arouses the least suspicion.
  • Retreat: the final phase of an APT attack is to leave the networks while deleting any trace of the intruders having been there.

Why do advanced persistent threats matter?

APT groups’ ultimate target is highly valuable in political, commercial or financial terms. Their advanced and sophisticated methods can be hard to detect; that’s the whole point.

The consequences, meanwhile, tend to be devastating.

And not just for the end target but for the reputations and ongoing business relationships of any supply chain pawns sacrificed along the way.

How can you best mitigate against an APT attack?

Given that sophistication and stealth are the strengths that APT groups bring to the threat table, can these attacks be mitigated?

Cybersecurity is not easy; that’s a simple truth. Another is that securing against APT attacks is even harder. But hard isn’t the same as “no point bothering”.

A multi-layered security strategy is always the basis of good defence. This means such things as adding penetration testing to your security routine. It means including “red team” briefs where the testers use similar methods to threat actors to uncover weaknesses that can be exploited. It means robust access and patch management. And that’s just for starters.

You should also employ visibility to counter stealth, looking for indicators of compromise as early as possible in any APT attack: think unusual login patterns, odd communication flows and unexpected data traffic. And make sure that you’re following TechFinitive’s basic advice on staying secure.

Read next: Cyberattacks: why small businesses should be worried


  • APT attacks are stealthy by nature and designed to remain undetected for long periods. 
  • Government, military, large industrial and commercial enterprises are common targets. 
  • Smaller organisations and individuals in the supply chain are used to reach those bigger fish. 
  • Multi-layered defences including penetration testing and activity logs are mitigation essentials. 
Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.