APT sign No. 4: Discovering unexpected data bundles
APTs often aggregate stolen data to internal collection points before moving it outside. Look for large (we're talking gigabytes, not megabytes) chunks of data appearing in places where that data should not be, especially if compressed in archive formats not normally used by your company.
APT sign No. 5: Detecting pass-the-hash hacking tools
Although APTs don't always use pass-the-hash attack tools, they frequently pop up. Strangely, after using them, hackers often forget to delete them. If you find pass-the-hash attack tools hanging around, it's OK to panic a little or at least consider them as evidence that should be investigated further.
If I had to think of a sixth indicator -- there's no charge for this one -- it would be focused spear-phishing campaigns against a company's employees using malformed Adobe Acrobat PDF files. This is the original causative agent in the vast majority of APT attacks. I didn't include it in the original five signs above because Adobe Acrobat is exploited all over the place. But if you hear of a focused spear-phishing attack, especially if a few executives have reported being duped into clicking on an attached PDF file, start looking for the other five signs and symptoms. It may be your canary in the coal mine.
That said, I hope you never have to face cleaning up from an APT attack. It's one of the hardest things you and your enterprise can do. Prevention and early detection will reduce your suffering.
This story, "5 signs you've been hit with an advanced persistent threat," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.