Security

DNS and the Challenge of Advanced Persistent Threats

Most cyber attacks are the online equivalent of a smash-and-grab robbery.

Last updated: September 15, 2025

An avatar of the author
Jodi Schechter
Security detail guarding a parked SUV, illustrating strong protection against targeted, persistent cyber threats
Key Takeaways
  • Advanced persistent threats (APTs) are long-duration attacks in which malware remains undetected on a network for months or years before execution.
  • Because APT activity is often internal and may not communicate externally, traditional perimeter defenses like firewalls, filters, and some SIEM deployments are insufficient for detection.
  • Client-facing DNS-based security enables monitoring of internal DNS traffic to identify and intercept malicious behavior as it moves laterally within the network.
  • DNS visibility can associate suspicious activity with specific clients or servers, allowing administrators to locate infected assets and respond with targeted remediation.
  • DNS policies can be used to restrict unauthorized internal connections, limiting malware’s ability to scan network drives or access sensitive resources.
  • Behavioral and pattern analysis of DNS queries helps identify anomalies indicative of APT activity, strengthening a layered security strategy against these threats.

Most cyber attacks are the online equivalent of a smash-and-grab robbery. Criminals tend to leave shortly after finding the information they are looking for, restricting network functionality, or performing an act cyber vandalism.

“Advanced persistent threat” is a term used for the opposite of a smash-and-grab. It’s the “long con” of cyber attacks. A term originally coined by the US military, advanced persistent threats are a breed of malicious network activity that require a new defensive posture. Often used by foreign intelligence services, they are the most common weapon of choice for attacks against critical infrastructure.

In an advanced persistent threat, malware is inserted onto the network and then left there, undetected, for months or even years. During this time, the malware may simply be dormant, or it may slowly search through the network for something worth stealing. When malicious actors decide the time is right, they move into the active phase of the attack, triggering the malware to execute on their long-term plan.

Advanced persistent threats are notoriously difficult to detect, and even harder to protect against. Since this kind of threat is internal and may not ping an outside network, the tactics used by detection software, filters and firewalls aren’t always effective.

Internal Network Defense

As the core of any network’s infrastructure, DNS data can play a critical role in identifying and eliminating advanced persistent threats. Most filters and firewalls are external-facing. They only track and trace malware as it interacts with areas outside the network. A client-facing DNS-based security strategy, on the other hand, can monitor and intercept threats as they move around inside a network.

Using DNS for internal network defense can also help to associate malicious activity with a particular client or server. Where an external-facing firewall, filter, or SIEM might alert IT security personnel that something isn’t right, a client-facing DNS monitoring system will pinpoint the infected computer directly, allowing administrators to take concrete action to mitigate the threat.

DNS infrastructure also offers the opportunity to set policies that can prevent the spread of advanced persistent threats within a network. If malware is designed to scan internal network drives for sensitive data, a DNS policy can prevent those connections by shutting down network traffic that originates from clients without a need to access that information. Even on clients with privileged access to sensitive data, DNS pattern analysis can often detect behavioral aberrations, the signatures of malware, and mitigate the threat.

Advanced persistent threats are a growing concern in the cyber security community – and for good reason. They are designed precisely to seep into network infrastructure in ways that are difficult to detect. A layered security strategy that includes the ability to monitor internal DNS traffic and set policies accordingly offers a stronger defense against this insidious threat.

Published in:

Security

Published on: September 7, 2017

An avatar of the author

Growth by Content is what I do. I’m fuelled by conversations, coffee and sarcasm.

Related content

Close-up of interlocked metal chain links symbolizing connected network objects and relationships in IPAM
Blog

How to map your network with user-defined links in Integrity X

Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.

Read more
Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat
Blog

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las
Blog

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more
Stacked colorful wooden directional arrows on a post by a calm seaside with distant hills and blue sky
Blog

Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)

Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.

Read more