Advanced Persistent Threats (APT) represent the most critical threat to modern organizations. Unlike large-scale automated attacks, APTs are human infiltrations, carried out over long periods of time, customized for the targeted organization after some intelligence analysis, possibly on open sources, and can even exploit unknown exploits to infiltrate systems vulnerable. The economic cost to an organization affected by an APT can even reach millions of dollars, and its reputation can be compromised. As large enterprise networks continue to increase in traffic and number of connected devices, the design and implementation of advanced network monitoring systems and security analysis algorithms capable of detecting APT attacks quickly pose a significant research challenge. Traditional security solutions based on pattern matching work well at detecting known attacks, but they cannot identify APTs because attackers typically exploit unknown vulnerabilities and use standard protocols and encrypted communications (e.g., HTTPS). to escape detection. Additionally, existing traffic analyzers are capable of detecting common types of attacks (e.g., distributed denial of service and worms), but they are inadequate for identifying APTs because an expert attacker mimics normal behavior and compromises a number limited to specific hosts, thus avoiding the spread of infections. This is the case with typical automatic malware. Another problem of current detection systems installed in large architectures is represented by the large number of alarms generated, at least in the order of thousands per day. A similar setting would require either a large number of dedicated security analysts or, more likely, the need to ignore most alarms. As an additional observation, our focus on traffic logs reflects a realistic business scenario in which host-based logs (e.g., system calls) would be extremely expensive to collect and analyze. Say no to plagiarism. Advanced persistent threats (APTs) are attracting increasing attention from researchers, primarily in the industrial security sector. APTs are cyberattacks executed by sophisticated and well-resourced adversaries targeting specific information about high-profile companies and governments, typically as part of a long-term campaign involving various stages. To a large extent, the academic community has neglected the specificity of these threats and, therefore, an objective approach to the issue of APTs is lacking. to this as different things. Since there are many different opinions on what constitutes an APT in the commercial market, a clear definition is necessary. In this article, we adopt the definition given by the United States National Institute of Standards and Technology (NIST) that an APT is: “An adversary that possesses sophisticated levels of expertise and significant resources that enable it to create opportunities to achieve your goals. using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and expanding presence within the IT infrastructure of targeted organizations with the aim of exfiltrating information, undermining or impeding critical aspects of a mission, program or organization; or position ourselves to achieve these objectivesthe future. The advanced persistent threat: (i) pursues its objectives repeatedly over a prolonged period of time; (ii) adapts to defenders' efforts to resist them; and (iii) is determined to maintain the level of interaction necessary for the execution of its objectives.” This definition provides a good basis for distinguishing between traditional threats and APTs. The distinctive characteristics of APTs are: Specific targets and clear objectives; Highly organized and well-resourced attackers; A long-term campaign with repeated attempts; Stealthy and evasive attack techniques. Below is a detailed description of these features. Specific targets and clear objectives: APT attacks are highly targeted attacks, always having a clear objective. Targets are usually governments or organizations with substantial intellectual property value. Based on the number of APT attacks discovered by FireEye in 2013, the top ten industry vertical targets are education, finance, high-tech, government, consulting, energy, chemical, telecommunications, health and aerospace. While traditional attacks spread as widely as possible to improve the chances of success and maximize harvest, an APT attack focuses only on its predefined targets, thereby limiting its attack scope. When it comes to attack objectives, APTs typically seek digital assets that provide competitive advantage or strategic advantages, such as national security data, intellectual property, trade secrets, etc., while Traditional threats mainly look for personal information such as credit card data, or in a generic way. valuable information that facilitates financial gains. Highly organized and well-resourced attackers: The actors behind APTs are usually a group of skilled hackers, working in a coordinated manner. They may work in a government/military cyber unit or be hired as cyber mercenaries by governments and private companies. They have sufficient resources, both from a financial and technical point of view. This gives them the opportunity to work for a long period of time and have access (through development or purchase) to zero-day vulnerabilities and attack tools. When state-sponsored, they may even operate with the support of the military or intelligence services. A long-term campaign with repeated attempts: An APT attack is usually a long-term campaign, which may remain undetected in the target's network for several months or years. APT actors constantly attack their targets and repeatedly adapt their efforts to finish the job when a previous attempt fails. This comes from various additional threats, since traditional attackers often target a wide range of victims and will move straight to something less secure if they cannot penetrate the initial target. Stealthy and Evasive Techniques: APT attacks are stealthy and have the ability to remain undetected, hiding within the company's network traffic and interacting just enough to achieve the defined objectives. For example, APT actors can use zero-day exploits to avoid detection based on signatures and encryption to hide network traffic. This is different from traditional attacks, in which attackers typically employ "smash and grab" tactics to alert defenders. ManySecurity professionals view the term "advanced persistent threat" (APT) as primarily a marketing term and do not recognize that advanced persistent threats exist. threats that have bypassed their traditional security protection techniques and reside undetected on their systems. Organizations face an evolving threat scenario that they are unprepared to deal with. They must respond to these threats with appropriate techniques and technologies. This research will enable security practitioners to understand the new threats they face and the best practices they should follow to reduce the risk of compromise against advanced adversaries directly targeting their organizations. Advanced persistent threat is a concept that has changed the essence of cyber threats. As the world becomes totally dependent on digital functions, it is time to understand the current state of the threat around us. Additionally, organizations are under increasing pressure to invest more in cybersecurity. So, based on the most recent literature, it seems difficult to know where to invest. Traditional security measures focus on creating layers of security between the Internet and the organization's network. Even if this approach remains relevant and must be maintained, it is not sufficient, as such, to ensure security against the current threat. Although it is impossible to ensure complete security, the security ideology must be changed by understanding how modern attackers behave, what types of resources they use, and what they are actually looking for. This is the only way to maintain confidentiality, integrity and availability to mitigate damage. The main objective of the thesis is to propose mitigation solutions against modern threats in a proactive manner. Unlike traditional defensive measures, the proposed solution is designed assuming that the attacker is already inside the organization's network. Thus, the main components segment the data to avoid losing valuable information and to allocate resources for high-power detection. This research includes an extensive literature review that introduces the concept of advanced persistent threat and its relationship to organizational security. Therefore, actual proactive mitigation solutions are synthesized by understanding the nature of APT, complementing carefully chosen related solutions, and using previously identified best practices as a basis. This study has become critical due to the dangerously evolving nature of APT in modern society. Individuals and organizations around the world are already losing resources due to their ignorance of the sophisticated methods applied by APT attackers. Common intrusion detection methods are not capable of detecting such advanced persistent threats. A new approach is needed, which takes into account the progressive characteristics of this type of threats and links analysis methods to attack characteristics. Existing research on APTs mostly comes from the industrial security community. Traditional security providers (e.g. McAfee, Symantec) and emerging APT-focused companies (e.g. FireEye, Mandiant) regularly publish technical reports that document cases of APT attacks. In Thonnard et al. conducted an in-depth analysis of email attacks identified as targeted attacks by Symantec and through this analysis they showed that a targeted attack is..