The unsatisfactory term "Advanced Persistent Threat" is shorthand for a decade-long program of coordinated attacks that originate mostly from China and try to exfiltrate corporate intellectual property. If your company has not been targeted, congratulations, but you need to be prepared.
I call the term APT "unsatisfactory" not only because it can mean different things when used by different security companies, government and military agencies, etc., but also because the intrusion techniques employed by state actors often are not very advanced.
Russian cybercriminals bent on self-enrichment employ advanced toolkits that may include zero-day vulnerabilities that are previously unknown and unpatched. But Chinese hacking teams are much more likely to rely on known vulnerabilities in conjunction with social engineering and spear phishing.
However, the "persistent" part of the term is accurate. APT intrusions may last for months or years. These are not one-shot hacks.
Cyberattacks have been with us as long as the Internet has, but until 10 to 12 years ago, they looked more like government-to-government espionage than deliberate attempts to exfiltrate private intellectual property. The attacks gradually broadened to target defense companies and then other critical industries, including energy, finance, and security. Here is a partial list of major APT activity over the past two years:
Security companies, the technical press, and lately the general press have increasingly pointed out circumstantial evidence that the Chinese government and/or military are behind most of the industrial espionage attacks. This drumbeat culminated late last year in a US government report naming China and Russia. The experts who worked on that report said in later interviews that as few as a dozen hacking groups appear to be behind most of the attacks.
Investigations indicate that the dozen or so Chinese teams get "taskings" to go after specific technologies or companies within a given industry. Sometimes two or more teams appear to get the same target list, and they then compete to be first or to get the most valuable trove of data.
China has always denied having anything to do with the attacks. Ironclad proof of its involvement will always be elusive, but the circumstantial evidence is mounting. For example, McAfee researchers found that the "Night Dragon" attackers were always active within a time window of 9:00 a.m. to 5:00 p.m. in the time zone that includes Beijing.
The security expert Bruce Schneier notes an important way the APT differs from more familiar threats, which tend to be motivated by either money or politics. When dealing with such attacks, what matters is your relative level of protection -- if you are more secure than 90 percent of your competitors, the traditional hackers will pass you by and go after them. When facing the APT, the absolute level of your protection needs to be up to snuff.
The Australian Defence Signals Directorate maintains a prioritized list of 35 APT mitigation strategies (though it calls the attacks "targeted cyber intrusions"). The Directorate estimates that 85 percent of APT attacks could be mitigated by the simple steps of consistent patching (of both operating systems and applications), application whitelisting, and reducing the number of users with administrative privileges. Implementing processes farther down the list -- data-loss prevention, user behavior analysis -- boosts your safety even more. The SANS Institute offers training in these and other advanced security techniques.
If your company has any involvement in national security or major global economic activities -- even peripherally -- you should expect to come under pervasive and continuous APT attacks that go after archives, document stores, intellectual property repositories, and other databases. Make sure your people and processes are up to the challenge.