SANS Digital Forensics and Incident Response Blog

M-Trends: The Advanced Persistent Threat

M-Trends Cover

M-Trends Quote: "Most APT Malware is not packed, because packing is relatively easily detected. APT attackers that use packed malware are usually more advanced in their skills." - APT Malware Trends and Statistics Section


M-Trends Quote: "Most organizations struggle to detect real incidents. Organizations that rely solely on automated security appliances are ripe targets for an APT intrusion. " —APT Victim Recommendations


M-Trends Quote: "Standard security tools usually do not detect APT malware. When MANDIANT discovers new APT malware, we scan it with the anti-virus and anti-malware programs that most organizations use. Of the samples we discovered and examined, only 24% of all the APT malware was detected by security software." APT Malware Trends and Statistics Section



Over the past two years, there have been many discussions surrounding China and the Advanced Persistent Threat (APT). While I teach for SANS, my full-time job is at MANDIANT. MANDIANT is one of the primary incident response companies routinely called to investigate and defend networks compromised by the APT.

The APT is a group of sophisticated and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks for years. The vast majority of APT activity observed by MANDIANT appear to be linked to China.

The APT threat is real. It affects everyone. These are not hackers. They are professionals aimed at stealing your data and maintain a presence on your network to gain economic or intellectual advantage.

M-Trends is a report prepared by MANDIANT consultants and computer security professionals who specialize in investigating computer network intrusions and have years of experience fighting the APT.

We are releasing the report to help further the discussion on the threat and share the knowledge we have gained combating the APT.

Knowledge. Experience. Real Data.

You need to be able to see specifically how the attacks are taking place, why they are so effective, and who they are targeting. The APT is not a single zero-day exploit that makes the news. They have created hundreds of malware utilities and backdoors aimed at one purpose - maintaining a foothold inside your organization's network.

If you would like to be on a list to receive the report please fill out an automated submission to:


M-Trends Quote: "Organizations that take information security seriously and move beyond just meeting compliance guidelines have the best chance of detecting and remediating the APT." — APT Victim Recommendations


M-Trends Quote: "In one instance, over 96 separate malicious APT-related files comprising various backdoors and utilities were identified on an individual system. Over 150 total systems appeared to have been compromised at the organization, with the earliest known compromise occurring at least two years prior." — APT Case Studies

Rob Lee is a Director for MANDIANT, a leading provider of information security consulting services and software to Fortune 500 organizations and the U.S. Government. Rob has over 13 years experience in computer forensics, vulnerability discovery, intrusion detection and incident response. Rob is the lead course author and faculty fellow for the computer forensic courses at the SANS Institute and lead author for SEC408 Computer Forensic Essentials and SEC508 Computer Forensics, Investigation, and Response.