Skip to content

Understand and combat advanced persistent threats and targeted attacks

Learn how they work, why you’re at risk, and how to fight back

Test your preparedness with Targeted Attack: The Game

What is a targeted attack or advanced threat?
Advanced persistent threats and targeted attacks:

  • Have caused numerous large, costly data breaches
  • Routinely defeat or evade traditional security measures
  • Are targeting growing numbers of organizations
  • Result in strategic chaos, massive costs, and crippled careers

Fortunately, advanced capabilities are available to help you detect, analyze, and respond to these attacks before damage is done.

Why they’re different

Based on extensive prior research, targeted attacks and advanced threats (also sometimes referred to as advanced persistent threats or APTs), are purpose-built to breach your network and steal your data, intellectual property, and communications without being detected.

Traditional threats:

  • Generic – A virus or malware is repurposed and aimed at any target it can find.
  • Scattershot – A virus or malware is cast widely across the Internet in the hope of finding a foothold in any end-user device or corporate server.
  • Predictable – The virus or malware remains in a generally consistent form and behaves in a generally consistent manner, which creates opportunities to identify and block it.

Targeted attacks and advanced persistent threats:

  • Customized – An attack on your network is a carefully planned heist. Attackers carry out extensive research and tailor the attack to evade your specific defenses, explore your specific network, and steal specific types of high-value data.
  • Surgical – Rather than being scattered to the wind, targeted attacks and APTs are carefully delivered to specific targets, often using highly convincing email intended for a single individual within your organization as a penetration vector.
  • Highly sophisticated – Today’s targeted attacks and advanced persistent threats use complex techniques to conceal themselves from your defenses. Once inside the network, they can alter their appearance, switch ports and protocols, and remain undetected for long periods as they move around the network to find and steal your data. Detecting these attacks requires a modern, advanced solution that provides visibility into every corner of your network.

The initial investment attackers make to fund an attack can be less than US$1,000. The payoff can be in the millions. And the chances of ever being arrested, prosecuted, and punished are vanishingly small.

Ready to learn about our Custom Defense solutions?

Business impacts

Targeted attacks and advanced persistent threats have led to many of the major data breaches of recent years. Organizations of all kinds and sizes—including yours—are at risk. Indeed, your network may well already have been compromised.

Targeted attacks are as much a strategic business concern as they are a security concern. The consequences go well beyond creating headaches for your security professionals. The strategic impacts of targeted attacks and advanced threats include:

Unexpected strategic impacts:

  • Loss of revenue
  • Loss of intellectual property
  • Deterioration or loss of intangible assets: technology, market, customer, operational practices, etc.
  • Erosion of market value

Unexpected risks:

  • Litigation by shareholders, customers, employees, or suppliers
  • Accountability for your network being used as a beachhead to launch attacks against customers, suppliers, business partners, or others
  • Deterioration of brand equity

Unexpected costs:

  • Regulatory filings
  • Internal and/or external investigation
  • Compensation

Unexpected career impacts:

  • Scapegoat effect
  • Resignation or dismissal of c-level executives
  • Risk to reputation and market value of directors and executives


Who needs to be involved in the conversation

CISOs, CXOs, and other executives need to become knowledgeable about the potential impacts of targeted attacks and advanced persistent threats. They need to become actively engaged in developing and implementing effective protective strategies.

As a CISO, CXO, executive, or board member, this knowledge will guide you in developing an executive action plan that begins with identifying and classifying your organization’s data and establishing risk-management policies.

The six stages of a targeted attack

Targeted attacks and advanced persistent threats are custom-built for their specific targets, but they generally follow a six-stage process.

  1. Intelligence gathering

    Attackers begin with extensive research. Using readily available public information, network scanning tools, social media, and other sources, they identify promising points of entry, and uncover the structure of your defenses. Their plan of attack is based on the intelligence they have gathered.

  2. Point of entry

    In one common tactic, called “spear-phishing,” an employee receives an apparently legitimate email with a normal-seeming file attached, or containing a link to a malicious URL.

    Another tactic, called a “watering-hole” attack, may compromise a legitimate website of interest to people in your industry, which then downloads malware to connected systems that match your organization’s profile.

    Other techniques may also be used, including:

    • Directly hacking the target system
    • Penetrating a partner’s network and hitching a ride into yours via normal communication
    • Using unsecured or third-party networks (hotel, coffee shop, airport, etc.)
    • Delivering attack code via a USB or other removable storage media


Ready to learn about our Custom Defense solutions?

  1. Command-and-control (C&C)

    Once inside a targeted device, the malware communicates with a C&C server to deliver information, receive instructions, and download further malware. This allows attackers to actively respond to your security efforts, or to new information about your network. C&C traffic can occur to/from a trusted IP address or a malicious host, using various communication and encryption protocols.

  2. Lateral movement

    From the initial point of entry, attackers need to identify other assets within your network and move from system to system. They seek out directories, email, and administration servers in order to map the internal structure of your network and obtain credentials to access these systems.

  3. Asset/data discovery

    By scanning selected ports, monitoring internal traffic, and other techniques, attackers then seek to identify the specific servers and services that contain your most valuable data.

  4. Data exfiltration

    In the final stage, attackers copy the data they want to extract and monetize. They use encryption, compression, and other techniques to disguise it. And they transmit it to external locations under their control. Most commonly, they will then put it up for sale on the black market.


Lateral movement tactics


View infographic

Detecting APTs via C&C traffic

View infographic

Proven strategies for detecting targeted attacks and advanced threats

The key to detection is to establish visibility into all corners of your network—without restrictions as to ports, protocols, devices, or type of traffic. No matter how much you enhance detection at your perimeter, attackers will find a way in. Every device that connects to or communicates with your network, and every person who uses one—employee, partner, contractor, customer, supplier, auditor, inspector, etc.—can be exploited by a determined attacker. Monitoring only the perimeter will only give you a false sense of security.

Once you understand that targeted attacks are highly likely to bypass your perimeter-centric defense, it’s clear that you need to gain visibility into attacker behaviors as they occur within your network. Strategies for achieving this include:

  • Monitor all network traffic: Comprehensive monitoring of all inbound, outbound, and internal network traffic, regardless of the ports or protocols involved. This includes effective monitoring of any and all devices that access your networks, as well as the ability to monitor asymmetric network traffic and any activity generated by any IP-based device that connects to your network.
  • Identify early warning signs: The ability to rapidly identify components of the early stages of targeted attacks. These may include malicious URLs, C&C servers, known malicious mobile apps, known malicious payloads, and known bad files.

Ready to learn about our Custom Defense solutions?

  • Investigate suspicious files: Comprehensive analysis of suspicious payloads to detect malware, including previously unknown (“zero-day”) attacks. Sandbox environments (secure virtual systems in which malware can be activated and analyzed safely) should precisely match your operating system and application environments, and be easy to update as needed.
  • Validate your findings: The ability to rapidly correlate threat insight from your network with a proven and reliable external source of global intelligence so that your security teams can rapidly identify and respond to threats.
  • Plan your response: The ability to quickly determine the extent of a breach, prioritize your response activities, and efficiently allocate resources for remediation.

Connect with us on