APT / Nation-State Intrusion Response Quickstart

Confirm the observations that triggered the APT classification: custom or non-public tooling, targeted rather than opportunistic behavior, long-dwell indicators, anti-forensics, or a nation-state advisory match. APT classification carries operational and legal implications; avoid the label unless evidence supports it, but do not under-classify if evidence is present.

Convene a closed-bridge with SOC lead, TI lead, legal counsel, and CISO. Restrict incident-channel access on a need-to-know basis; assume the adversary may be monitoring internal Slack/Teams/email. Agree on a private attribution posture for the investigation phase; avoid public attribution statements without explicit approval.

APT tooling often resides in memory or relies on network connections that disappear on containment action. Before any containment step, capture memory from suspected-compromised hosts and snapshot active network connections. Lost volatile evidence is hard to recreate; rushed containment that destroys it makes the investigation harder.

Enumerate confirmed techniques so far against MITRE ATT&CK tactics (Initial Access, Execution, Persistence, Privilege Escalation, Credential Access, Discovery, Lateral Movement, Collection, C2, Exfiltration). Identify 3-5 candidate threat groups whose tracked tradecraft matches observed TTPs; do not rush to a single attribution. For each candidate, build a hunt list of additional tooling and persistence you should look for.

APT actors commonly dwell for months before detection. Extend the investigation window to the full retention of each log source; document gaps where retention is shorter than suspected dwell. If key retention is short (EDR 30 days, DNS 7 days), initiate log-recovery from backup or SIEM cold storage immediately.

Hunt for living-off-the-land patterns (anomalous parent-child chains, rare command-line patterns, LSASS access from unexpected processes) and low-prevalence persistence (WMI event subscriptions, scheduled task XML with hidden flags, service DLLs in unusual paths, COM hijacking, AppInit_DLLs, IFEO debugger hijacks). APT persistence is usually unique per host or campaign; generic signatures miss it.

Hunt for long-dwell OAuth app grants, mailbox rules that forward to external addresses, audit-suppression toggles, unexplained administrative-role assignments, and service-principal changes in Entra ID. Cloud identity persistence is frequently the APT foothold that survives an endpoint-only cleanup.