We have all the standard firewalls and EDRs, but I’m terrified of a "low and slow" attack where the intruder stays hidden for months. What are the specific, non-obvious indicators that an APT has established a foothold? What should our threat-hunting team be looking for in the logs?
3 answers
Look for "DNS Beaconing." APTs often communicate with their Command & Control (C2) servers using tiny, regular DNS heartbeats. They are easy to miss because they look like standard web traffic. Another big one is "Internal Lateral Movement" via legitimate tools like PowerShell or WMI. If you see a service account logging into a workstation it has no business being on at 3:00 AM, that’s your smoking gun. APTs don't use malware to move around; they use your own admin tools against you.
Is it worth setting up "Honeypots" or "Canary Files" to trap these intruders, or does that just create more work for a small security team?
Monitor your outbound "Data Egress." APTs usually compress and "stage" data before exfiltrating it. Look for large encrypted ZIP files in temp folders.
Precisely, Nancy. The "Staging" phase is the best time to catch them. If you see an unusual amount of disk activity on a file server followed by an outbound spike, it’s time to pull the plug.
Christopher, to answer your question, "Canary Tokens" are a low-effort, high-reward strategy. Place a fake "Salary_2024.xlsx" file on a restricted server. If that file is ever opened, it triggers an instant alert. Since no legitimate employee should be touching it, any alert is a high-fidelity signal of an intruder. It's much easier to manage than a full-scale honeypot and is incredibly effective at catching APTs during their "Data Discovery" phase.