Disclaimer: I work at a company developing security software to mitigate against targeted attacks.
Some of the methods we use are similar to those used by attackers (when clients want to test their systems).
For example, one client asked us to test their security by doing targeted [spear] phishing attacks. We emailed only the IT department with a combination of 2 emails. One was an apparently mis-addressed email to the board with a link to a Pdf named something like Executive bonus summary.pdf
, the other purported to be a new external portal for the company to use during the Olympics ("Please check your domain credentials work correctly..."). With a quick search on social media, we could've made user-specific emails but that would be time consuming and ultimately wasn't necessary.
We registered a domain name that was visually similar to the target's, then used it to host fake pages (styled identically to the real ones) and send DKIM signed emails (to avoid spam filters).
Of the techies targeted, 43% gave us their corporate login details, 54% tried to download the bogus pdf (the pdf was just garbage bytes so it looked like a corrupt download. One guy tried 5 times using Firefox, IE and finally wget).
We were told that only one user had detected the attack and reported it to management (but only after giving us their credentials).
So... Getting into the company is not impossible. As for getting information out, our normal sales pitch includes a demo of us bypassing company firewalls/traditional DLP. I don't believe we've ever failed unless they're air-gapped or using a good data diode (although the rate of exfiltration varies. In one case, we had a restrictive white-listing firewall, so had the software encode documents into images and keep updating a profile picture on Google. Then we watched the profile externally and downloaded each chunk).
That said, we've found time and again that software can be worked around but users are consistently the weakest link.
So to answer your question, a targeted attack includes the personal touch. Custom websites designed to trick users, research into what software (and release) is being used to check for known vulnerabilities, investigations on social media, social engineering, etc, etc.
Another one worth considering although less common is bribery/blackmail. If you're talking about state actors, it's not inconceivable.