Security

DNS and the Challenge of Advanced Persistent Threats

Most cyber attacks are the online equivalent of a smash-and-grab robbery.

Last updated: September 15, 2025

An avatar of the author
Jodi Schechter
Security detail guarding a parked SUV, illustrating strong protection against targeted, persistent cyber threats
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.

The article explains advanced persistent threats (APTs) as long-term, stealthy cyber attacks that implant malware into networks for months or years before activating, posing significant risk to critical infrastructure. It highlights that traditional external-facing defenses like filters, firewalls, and SIEMs often miss APTs because these threats operate internally and may not communicate outside the network. The piece advocates using client-facing DNS monitoring and policy-based DNS controls as part of a layered security posture to detect infected hosts, associate malicious activity with specific clients or servers, and prevent lateral movement and data-scanning behavior.

What makes advanced persistent threats different from typical cyber attacks?

Advanced persistent threats differ from typical ‘smash-and-grab’ cyber attacks by their long-term, stealthy nature. Rather than quickly taking data and leaving, APTs involve malware inserted into the network and left undetected for months or years, often dormant or slowly searching for valuable targets. They are frequently used by nation-state actors targeting critical infrastructure and are designed to evade detection by external-facing defenses, making them harder to detect and mitigate.

Why are external-facing filters, firewalls, and SIEMs often ineffective against APTs?

External-facing filters, firewalls, and SIEMs typically focus on traffic that exits or enters the network and on known external indicators of compromise. APTs can operate internally without pinging outside networks or generating the external signatures these tools rely on, allowing malware to remain dormant or move laterally unnoticed. Because the malicious activity often occurs between internal hosts, these perimeter-centric tools may alert that something is wrong but cannot pinpoint the infected client or stop internal spread effectively.

How can DNS-based internal network defense help detect and mitigate APTs?

DNS-based internal defense monitors and intercepts DNS traffic at the client level, enabling visibility into internal name-resolution behavior and client-server interactions that perimeter tools miss. Client-facing DNS monitoring can associate malicious activity with a specific infected client or server so administrators can take targeted action. Additionally, DNS policy controls can block unnecessary internal connections, prevent malware from scanning internal drives for sensitive data, and detect behavioral anomalies or malware signatures through DNS pattern analysis as part of a layered security strategy.

Most cyber attacks are the online equivalent of a smash-and-grab robbery. Criminals tend to leave shortly after finding the information they are looking for, restricting network functionality, or performing an act cyber vandalism.

“Advanced persistent threat” is a term used for the opposite of a smash-and-grab. It’s the “long con” of cyber attacks. A term originally coined by the US military, advanced persistent threats are a breed of malicious network activity that require a new defensive posture. Often used by foreign intelligence services, they are the most common weapon of choice for attacks against critical infrastructure.

In an advanced persistent threat, malware is inserted onto the network and then left there, undetected, for months or even years. During this time, the malware may simply be dormant, or it may slowly search through the network for something worth stealing. When malicious actors decide the time is right, they move into the active phase of the attack, triggering the malware to execute on their long-term plan.

Advanced persistent threats are notoriously difficult to detect, and even harder to protect against. Since this kind of threat is internal and may not ping an outside network, the tactics used by detection software, filters and firewalls aren’t always effective.

Internal Network Defense

As the core of any network’s infrastructure, DNS data can play a critical role in identifying and eliminating advanced persistent threats. Most filters and firewalls are external-facing. They only track and trace malware as it interacts with areas outside the network. A client-facing DNS-based security strategy, on the other hand, can monitor and intercept threats as they move around inside a network.

Using DNS for internal network defense can also help to associate malicious activity with a particular client or server. Where an external-facing firewall, filter, or SIEM might alert IT security personnel that something isn’t right, a client-facing DNS monitoring system will pinpoint the infected computer directly, allowing administrators to take concrete action to mitigate the threat.

DNS infrastructure also offers the opportunity to set policies that can prevent the spread of advanced persistent threats within a network. If malware is designed to scan internal network drives for sensitive data, a DNS policy can prevent those connections by shutting down network traffic that originates from clients without a need to access that information. Even on clients with privileged access to sensitive data, DNS pattern analysis can often detect behavioral aberrations, the signatures of malware, and mitigate the threat.

Advanced persistent threats are a growing concern in the cyber security community – and for good reason. They are designed precisely to seep into network infrastructure in ways that are difficult to detect. A layered security strategy that includes the ability to monitor internal DNS traffic and set policies accordingly offers a stronger defense against this insidious threat.

Published in:

Security

Published on: September 7, 2017

An avatar of the author

Growth by Content is what I do. I’m fuelled by conversations, coffee and sarcasm.

Related content

Close-up of interlocked metal chain links symbolizing connected network objects and relationships in IPAM
Blog

How to map your network with user-defined links in Integrity X

Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.

Read more
Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat
Blog

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las
Blog

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more
Stacked colorful wooden directional arrows on a post by a calm seaside with distant hills and blue sky
Blog

Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)

Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.

Read more