Determined Adversaries

Over the past two decades the internet has become fundamental to the pursuit of day-to-day commercial, personal, and governmental business. However, the ubiquitous nature of the internet as a communications platform has also increased the risk to individuals and organizations from cyberthreats. These threats include website defacement, virus and worm (or malware) outbreaks, and network intrusion attempts. In addition, the global presence of the internet has allowed it to be used as a significant staging ground for espionage activity directed at industrial, political, military, and civil targets.

During the past 5 years, one specific category of threat has become much more widely discussed. Originally referred to as Advanced Persistent Threats (APT) by the U.S. military — referring to alleged nation-state sponsored attempts to infiltrate military networks and exfiltrate sensitive data — the term APT is today widely used in media and IT security circles to describe any attack that seems to specifically target individual organization, or is thought to be notably technical in nature, regardless of whether the attack was actually either advanced or persistent.

In fact, this type of attack typically involves two separate components — the action(s) and the actor(s) — that may be targeted against governments, military organizations or, increasingly, commercial entities and civil society.

The actions are the attacks themselves, which may be IT-related or not, and are referred to as Targeted Attacks in this paper. These attacks are initiated and conducted by human actors, who are collectively referred to in this paper as Determined Adversaries. These definitions are important because they emphasize the point that the attacks are carried out by human actors who may use any tools or techniques necessary to achieve their goals; these attacks are not merely malicious software or exploits. Using an encompassing term such as APT can mask this reality and create the impression that all such attacks are technically sophisticated and malware-driven, making it harder to plan an effective defensive posture.

For these reasons, this paper uses Targeted Attacks and Determined Adversaries as more specific and meaningful terms to describe this category of attack.

Targeted Attacks. The attackers target individuals or organizations to attack, singly or as a group, specifically because of who they are or what they represent; or to access, exfiltrate, or damage specific high-value assets that they possess. In contrast, most malware attacks are more indiscriminate with the typical goal of spreading malware widely to maximize potential profits.

Determined Adversaries. The attackers are not deterred by early failures and they are likely to attack the same target repeatedly, using different techniques, until they succeed. These attackers will regroup and try again, even after their attacks are uncovered. In many cases the attacks are consciously directed by well-resourced sponsors. This provides the attackers with the resources to adapt to changing defenses or circumstances, and directly supports the persistence of attacks where necessary.

Determined Adversaries and Targeted Attacks may employ combinations of technology and tactics that enable the attacker to remain anonymous and undiscoverable, which is why these methods of attack might appeal to agencies of nation states and other entities who are involved in espionage-related activities.

Hardening the perimeters of computer networks is not a sufficient defensive strategy against these threats. Many computer security experts believe that a well-resourced and determined adversary will usually be successful in attacking systems, even if the target has invested in its defensive posture.

Rather than the traditional focus on preventing compromise, an effective risk management strategy assumes that Determined Adversaries may successfully breach any outer defenses. The implementation of the risk management strategy therefore balances investment in prevention, detection, containment and recovery.

Microsoft has a unique perspective on Targeted Attacks, as both a potential target of attacks and a service and solution provider to potential victims. This paper shares Microsoft’s insights into the threat that Determined Adversaries and Targeted Attacks pose, identifies challenges for organizations seeking to combat this threat category and provides a context for other papers that will directly address each of those.

Top of page Top of Page

Featured Articles


United States Change All Microsoft Sites



Was the information in this article helpful?