An advanced persistent threat (APT) is a broad term used to describe an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in order to mine highly sensitive data. Tracelay Ospreys Research identifies & monitors threats across the globe to proactively seek out malicious activity and identify security gaps within our customers’ environments. Through hunting engagements, the team has unearthed numerous targeted attacks, APTs, and sophisticated malware that would have otherwise gone unnoticed. Tracelay closely working with Global Threat Intelligence company for advanced threat intelligence collection.


Executing an APT assault requires more resources than a standard web application attack. The perpetrators are usually teams of experienced cyber criminals having substantial financial backing. Some APT attacks are government-funded and used as cyber warfare weapons.More common attacks, such as remote file inclusion (RFI), SQL injection and cross-site scripting (XSS), are frequently used by perpetrators to establish a foothold in a targeted network. Next, Trojans and backdoor shells are often used to expand that foothold and create a persistent presence within the targeted perimeter.

Advanced persistent threat (APT) progression

Stage 1 – Infiltration Enterprises are typically infiltrated through the compromising of one of three attack surfaces: web assets, network resources or authorized human users. This is achieved either through malicious uploads (e.g., RFI, SQL injection) or social engineering attacks (e.g., spear phishing)—threats faced by large organizations on a regular basis. Additionally, infiltrators may simultaneously execute a DDoS attack against their target. This serves both as a smoke screen to distract network personnel and as a means of weakening a security perimeter, making it easier to breach. Once initial access has been achieved, attackers quickly install a backdoor shell—malware that grants network access and allows for remote, stealth operations. Backdoors can also come in the form of Trojans masked as legitimate pieces of software.

Stage 2 – Expansion After the foothold is established, attackers move to broaden their presence within the network. This involves moving up an organization’s hierarchy, compromising staff members with access to the most sensitive data. In doing so, they’re able to gather critical business information, including product line information, employee data and financial records. Depending on the ultimate attack goal, the accumulated data can be sold to a competing enterprise, altered to sabotage a company’s product line or used to take down an entire organization. If sabotage is the motive, this phase is used to subtly gain control of multiple critical functions and manipulate them in a specific sequence to cause maximum damage. For example, attackers could delete entire databases within a company and then disrupt network communications in order to prolong the recovery process.

Stage 3 – Extraction While an APT event is underway, stolen information is typically stored in a secure location inside the network being assaulted. Once enough data has been collected, the thieves need to extract it without being detected. Typically, white noise tactics are used to distract your security team so the information can be moved out. This might take the form of a DDoS attack, again tying up network personnel and/or weakening site defenses to facilitate extraction.


An effective APT protection strategy requires a combination of security measures to protect every part of your perimeter. Imperva is able to play a key role in protecting your web servers and web application with the following solutions: Web Application Firewall – Our PCI DSS compliant service is an enterprise-grade security solution that monitors incoming web traffic and blocks all hacking attempts on the edge of your network. The WAF is offered as a cloud-based managed service and is maintained by a team of experts. The solution comes complete with a custom rules engine that can be used for access control and enforcement of case-specific security policies. Backdoor protection – A WAF feature that takes a novel approach to backdoor detection. Instead of looking for suspect files, which are often carefully disguised, While inspecting traffic to a web server, this service intercepts attempts to interact with the shell to reveal its location. Two-factor authentication – A flexible access control solution that allows you to deploy a 2FA gateway on any URL address, with the click of a button. The service also allows easy management of access privileges and can be integrated with any web environment. DDoS protection – An award winning service that mitigates all application and network layer attacks, including the white noise attacks used to distract security personnel and weaken your network perimeter.