blogs & Things

What Is An Advanced Persistent Threat (APT’S) Attack?

What To Do When Your Cyber Security Goes Horribly Wrong

APT attacks are when a cyber actor manages to access your networks for long periods of time…


While some cyber actors operate on a ‘smash ‘n grab’ principal, getting in, grabbing/damaging what they can from your systems or network, then getting out before they’re caught.

There’s another type of cyber-attack though that goes completely against that principal though… The Advanced Persistent Threat.

What Is An Advanced Persistent Threat?

An Advanced Persistent Threat (APT) is when a cyber actor has gained prolonged access to your network or systems without you realising.

An APT attack is never done to just cause damage; its main aim will be to sit there as long as possible, collecting as much data as possible before being discovered.

APT attacks tend to be targeted at larger organisations in the defence, manufacturing or finance sectors or even nation states, simply because these are the organisations/entities with high-value information worth stealing… Personal information for thousands, possibly millions of people, high-end IP, financial details, military software… the list goes on with anything a cyber actor could sell for a profit.

An APT attacker will target a network with the aim of achieving persistent (hence the name) ongoing access.

Recent examples of APTs in the news (and the fines that resulted from them) are those that impacted Marriott Hotels and British Airways.

This type of attack can be quite resource heavy for the hacker though, which is why they tend to target high-value targets; smaller organisations just aren’t worth their time.

Whilst that might seem a positive for many, it does mean that, as your organisation grows larger, you’ll need to beef up your cyber-security to deal with this specific type of attack. And also be aware that APTs have targeted foundational security technologies that many types of organisation may rely on: the RSA APT perhaps being the most notorious example, due to the cryptographic keys securing every RSA SecurID token being put at risk of compromise, resulting in their replacement.

How Do Advanced Persistent Threat’s Operate?

As already mentioned, APT attacks can be quite resource heavy for the hacker. They’ll typically use advanced methods to gain entry to your networks or systems such as exploiting zero-day vulnerabilities or even highly targeted phishing campaigns against your staff.

Once in though, they then need to stay in for as long as possible.

To accomplish this, they’ll have to continuously rewrite malicious code that they’ve placed within your network to avoid detection. In fact, some APT’s are so complex that they require teams of full-time administrators and hackers to maintain their access. And it’s common for APT teams to fix any technical vulnerabilities they used to gain access, as they don’t like to share their spoils!

Identifying An APT Attack

APT attacks won’t be easy to catch but… you do have to catch them as the cost in not doing so can be incalculable for an organisation, both in financial and reputational terms.

Most cybersecurity experts agree that the best way to detect when an organisation is under attack isn’t by identifying the malicious code in your systems but by monitoring your outbound data for anomalies or discrepancies that could give away the presence of a cyber actor. Data loss prevention technologies can play a role here.

How Do Advanced Persistent Threat Attacks Work?

Anyone looking to breach your networks or systems with an APT would likely have to follow a process something like this (so any steps you can take to disrupt them along the way will massively bolster your cybersecurity) …


To start with they’ll actually need to gain access.

Many, if not all of the steps involved with this can be dealt with under your standard cybersecurity defences. The difference with APT’s isn’t how they get access… it’s how long they’re able to maintain access undetected.


Once they’re in, they need to stay there for as long as possible.

After breaching your systems/network the first thing a cyber actor will do is take a look around. They’ll introduce malware into your code that will give them continued access without being detected and then attempt to dig themselves deeper.

At this stage it’s worth noting that an APT attacker may well attempt to create multiple points of compromise within your systems. That enables them to maintain access if you think you’ve ‘discovered’ them… meaning you need to be constantly on the lookout.

They’ll attempt to access ‘deeper’ systems by breaking/changing passwords and give themselves administration rights over the entire network. If things get to that stage, they’ll then be able to move around your organisation (digitally) at will. From here they’ll start to centralise as much of your data as they can, encrypting and compressing it so they can exfiltrate it as soon as they deem it secure to do so undetected.

This will be repeated for as long as they’re able to stay unnoticed…. Stealing new and more valuable data over and over.


One of the hardest things to defend against when it comes to APT’s is that the hackers likely won’t be using standard, OotB (Out-of-the-Box) hacking tools. The APT will have been tailored uniquely to your organisation, making a cyber defence strategy much harder to formulate.

Spotting An APT Attack

Despite being hard to attack, APT’s do come with some key warning signs that you should always be on the lookout for.

Unusual activity on your staff’s accounts is always a good sign… especially if large amounts of data are being sent or it’s being sent from an account that wouldn’t previously have sent data. A lack of multi-factor authentication on 3rd party supplier and staff accounts may have contributed to both the Marriott and BA APT attacks.

Unusual activity on your database is another sign to look out for… sudden increases in database operations involving large amounts of permissions, new users being added, or permissions being changed… these are all signs you’ve been the victim of an APT attack – a particular database query led to an alert and the discovery of the Marriott APT, some 4 years after the initial infection.


The last warning signal to look out for is unusual data files where you might not expect them as this might be a sign that data is being collated ready for exfiltration but as already mentioned, detecting anomalies in outgoing data will always be the most reliable way to spot an advanced persistent threat.

More blogs & Things

More blogs & Things

James Crossland in NonProfit

AI + Automation: Reducing Donor Churn & Maintaining Sponsor Interest

Churn management is a vital element of any marketing strategy, and the NonProfit sector is no exception. Knowing what to track and having a joined up view of all your donations data is vital for getting this right, and also opens the door to building innovative data-driven campaigns.   At our recent DataScience and Transformation in Charities […]

James Crossland in NonProfit

Dynamics 365 In NonProfit’s

Charities have unique funding concerns, and an obligation to spend as much as possible on their chosen cause. However, an investment in technology can offer ROI in the form of more than just improved fundraising. Dynamics 365 can help rework complex business processes, ensure compliance with stringent safeguarding and financial regulations, as well as consolidate […]

James Crossland in Tech

8 Ways Your Business Can Increase Turnover With Big Data

Understand how Big Data and Data Science can transform your business…   Big Data is the phrase that’s used to categorise any data that’s too large, complex, cumbersome or complicated to be managed and processed by conventional technology. To put that into a relatable context; being able to recommend your customers content, products or offers based […]

James Crossland in NonProfit

How To Reduce Donor Churn In NonProfits

Reducing Donor Churn doesn’t have to be a big task but does need to be a fundamental part of a NonProfit’s day to day processes   What Is Donor Churn? Donor Churn is the likelihood of an individual stopping their donations to a charitable cause for a variety of different reasons resulting in the non-profit organisation […]

James Crossland in Tech

Agile: Cutting Costs, Improving Quality & Accessing Talent

After using Agile to develop software products for several years, we thought we’d share the challenges we encountered at the start, what we did to change and the results we saw (which were ultimately uplifts in quality and efficiency)…   My development team has been using Agile to develop software product since 2007. Personally, I’ve seen many […]

James Crossland in Tech


What’s the difference between UI and UX?   Simply put UI (or User Interface) are the pages, screens, buttons, icons and any other visual aspects of a website or App that let you interact with it… or to expand on that into the non-virtual world… UI is how you experience using something – For instance in opening a fridge, […]