The university of tulsa Online Blog

Organizations across the public and private sectors face cyber threats constantly, with security incidents consistently reaching record highs in recent years. In 2024, the FBI’s Internet Crime Complaint Center (IC3) received nearly 860,000 complaints, only slightly down from 2023’s all-time high of 880,000. Despite the modest dip in volume, reported financial losses surged above $16 billion in 2024, marking a 33% increase from the previous year.

Industry experts have also reported a sharp rise in the number of so-called hands-on intrusions: attacks by human adversaries who actively engage with target systems in real time. According to the CrowdStrike 2024 Global Threat Report, these interactive intrusions increased by 60% year over year in 2023.

One of the most dangerous types of hands-on intrusion is an advanced persistent threat (APT). APTs are stealthy, targeted cyber attacks in which hackers gain and maintain long-term access to a network — often to conduct espionage, steal sensitive data (in many cases for financial gain), or disrupt operations. These attacks typically take aim at high-value targets such as government agencies, large corporations, and critical infrastructure.

While technological advancements and the rapid expansion of digital connectivity have allowed APT threat actors to step up the scale and sophistication of their attacks, they’ve also allowed security professionals to develop more robust defenses against them. The key to combating advanced persistent threats? Tools and strategies that prevent, detect, disrupt, and eliminate attacks before they cause serious harm.

What Is an Advanced Persistent Threat?

An advanced persistent threat is a highly coordinated, multistage cyber attack in which skilled adversaries infiltrate a network and remain undetected for an extended period. Unlike broader, more traditional attacks - which typically seek easy targets and rely on volume and speed to be effective - APTs are sophisticated, customized operations backed by individuals or groups with substantial resources, such as nation-states or organized crime. 

APTs have specific, strategic goals, which vary depending on the entity or entities behind the attack. Their aims may include:

• Cyber espionage: Stealing intellectual property, such as trade secrets, or sensitive government data to gain political or economic advantage

• Cybercrime for financial gain: Launching ransomware or similar methods to extract and hold valuable data hostage in exchange for payment

• Disruption or sabotage: Targeting organizations or public infrastructure to immobilize operations or damage systems

Certain groups may use APTs as tools for hacktivism to promote a political or social agenda, such as exposing corruption or highlighting human rights violations. 

APTs go after large entities — from individual organizations to entire industries — that possess valuable information or assets, with attackers selecting targets based on strategic relevance. Common targets of APTs include government agencies, technology companies, financial institutions, and health care providers. 

Phases of an Advanced Persistent Threat

Although every attack is unique, most APT campaigns follow a standard playbook consisting of sequential phases, including:

1. Conduct reconnaissance. Before they launch an attack, APT actors research their target, gathering data about its systems, personnel, and potential vulnerabilities. They may achieve this by scanning publicly available data sources or through social engineering tactics designed to extract information from specific individuals within the organization. 

2. Achieve initial compromise. Hackers break into the network. APTs gain access through various means, such as stolen credentials (gained via phishing attacks) or software vulnerabilities. 

3. Establish persistence. After gaining initial access, hackers deploy malware that embeds itself within the network’s servers, where it can probe for vulnerabilities and create additional persistence points to ensure that the attack can persist even if other access points are closed. This allows hackers to maintain a covert, long-term presence within the network.

4. Move laterally. Once they’ve embedded themselves inside the network, attackers can move from system to system, gathering more data (account names, passwords) and identifying valuable assets. This phase, often measured as the “breakout time” — how long it takes for an intruder to begin moving laterally after initial compromise — is a key indicator of an APT’s efficacy and a security team’s detection and response capabilities.

5. Steal or disrupt data. Hackers begin stealing valuable data, often using a staging server within the network to collect it and then exfiltrate it to an external server. During this phase, attackers may launch separate attacks, such as a denial-of-service (DoS) attack, to distract security teams.

Real-World Examples and Impacts of Advanced Persistent Threats

Just within the last several years, several notable APTs have struck major financial institutions, government agencies, and energy infrastructure. These incidents have caused billions in losses, exposed sensitive information, and contributed to reputational damage across the public and private sectors. 

Below are some recent high-profile APTs that illustrate how damaging these attacks can be and why investing in tools to combat APTs is critical.

SolarWinds

In 2019, SolarWinds, a software supplier serving thousands of public- and private-sector organizations, came under attack when hackers inserted malicious code into updates for its Orion platform. The breach gave attackers access to the networks of many SolarWinds customers, including multiple U.S. federal agencies, primarily for the purpose of espionage. 

The financial fallout of the attack was substantial. Companies affected by the attack lost an average of 11% of their annual revenue, according to the IronNet 2021 Cybersecurity Impact Report. Of the nearly 500 security professionals surveyed in the report, 85% said they were impacted negatively by the SolarWinds attack, including nearly a third who said the impacts were significant. 

Volt Typhoon

Volt Typhoon, a state-sponsored hacking group based in China, carried out a series of undetected, long-running cyber intrusions targeting U.S. infrastructure, including transportation, communication, and energy systems. While those breaches were discovered in 2023, U.S. intelligence agencies suspect the group maintained access to certain networks for at least five years. 

Security experts have warned that the campaign appeared to be laying the groundwork for future disruptions to critical infrastructure. 

Change Healthcare

In 2024, a group of Russia-based cybercriminals launched a major cyber attack against Change Healthcare, a health care technology company that services thousands of providers across the country. The organization plays a vital role in keeping the nation’s health care system running, processing approximately 15 billion transactions annually, from insurance verification to prescription drug claims, according to the American Hospital Association (AHA). 

In addition to exposing the personal data of nearly 200 million people, the attack caused widespread operational and financial disruption to institutions. In some cases, it directly affected patient care, including delays in authorizations for medical care. 

Combating Advanced Persistent Threats: Tools and Strategies for Security Experts

Because APTs are deliberately stealthy, persistent, and highly customized, defending against them requires more than traditional cybersecurity tools. These attacks unfold gradually and quietly, meaning effective resistance relies on early detection and constant vigilance.

Recognizing the growing risk APTs pose — particularly with the rise of artificial intelligence (AI) — organizations are investing more heavily in APT solutions. The advanced persistent threat protection market is projected to surge over the next several years, climbing from roughly $6.8 billion in 2023 to $24.5 billion in 2030, an increase of more than 250%, according to Grand View Research. 

Below are among the key tools and strategies organizations can employ to minimize the risk of APTs and the damage they cause.

Building Visibility and Intelligence

The first line of defense is visibility. Organizations need to be able to see across their entire information technology (IT) environment — from endpoints and servers to cloud applications. Broad sensor coverage can help minimize blind spots where intruders might hide.

Tools such as security information and event management (SIEM) platforms enhance visibility by collecting and analyzing data from across a network, correlating events in real time to draw attention to potentially suspicious behavior that might otherwise go undetected. 

Gathering threat intelligence is also vital to boosting vigilance. By collecting and analyzing data about attackers, including their motives, tactics, and tools, security teams can gain valuable insight that allows them to recognize patterns and anticipate future attacks. For example, feeding technical intelligence, such as indicators of compromise (IOCs), into a SIEM platform can help enhance detection and response. 

This data-driven approach shifts organizations from reacting to events to proactively identifying and countering APT activity before it escalates. 

Strengthening Detection and Response

Because APTs are designed to blend in with normal network activity, detecting them requires a combination of advanced tools and human expertise. Solutions such as extended detection and response (XDR) and endpoint detection and response (EDR) monitor and analyze endpoint and network activity, flagging anomalies that indicate an attack and mitigating emerging threats.

• EDR tools focus on endpoints such as laptops, tablets, and smartphones, tracking how they behave and alerting security analysts to suspicious activity. EDR solutions can also provide insight into the entire threat life cycle, revealing how an attack transpired and steps to mitigate future threats.

• XDR platforms expand that visibility across multiple layers of an organization’s digital environment, including endpoints, cloud applications, email, and data stores. Powered by AI and automation, XDR integrates investigation, detection, and response across this entire landscape.

Managed detection and response (MDR) strategies combine advanced technology with hands-on analyst support to drive 24/7 monitoring and proactive threat hunting. Blending technology with human analysis allows a more holistic and effective approach to identifying and mitigating threats. 

Layered Prevention and Control

Preventing APT intrusions requires a multilayered approach that combines technology, policy, and training. Common entry points include phishing emails and unpatched vulnerabilities, so prevention begins with:

• Employee awareness: Training staff to spot suspicious activity, like phishing attempts

• Patch management: Keeping systems and applications up to date to fix vulnerabilities

• Network segmentation and least-privilege access: Limiting the extent to which attackers can move if they gain access to a network; requiring multi-factor authentication (MFA) for authorized users also enhances access control

Some of the most effective security tools against APTs include a web application firewall (WAF) and a next-generation firewall (NGFW) — both further protect networks by monitoring and filtering application and network traffic. These tools help block malicious requests and prevent unauthorized data transfers or exfiltration, reducing the risk of a successful breach.

Future of Defense

New technologies are reshaping how security professionals counter APTs and other complex threats. AI and machine learning already enhance detection by spotting subtle patterns that human analysts often miss. However, AI also empowers attackers, allowing them to craft more effective phishing campaigns with generative AI and automate aspects of an attack.

To meet this challenge, some organizations are adopting an advanced persistent security (APS) approach. Similar to the threats they combat, APS systems are persistent — continuously monitoring for abnormal behavior, learning from network activity, and adapting to new attack techniques. By leveraging machine learning algorithms and security expertise, APS systems aim to outwit even the most savvy hackers.

Staying Ahead of Advanced Threats

As cyber attacks continue to grow in scale and sophistication, APTs remain among the most dangerous adversaries facing modern organizations. Their stealth, complexity, and persistence demand defenses that are equally intelligent and adaptive.

Cybersecurity strategies that combine visibility, access control, human analysis, and AI-driven detection and response can strengthen security teams’ ability to counter these threats before lasting damage occurs. 

In an era of ever-present digital dangers, investing in tools to fight advanced persistent threats is essential.