Getting rid of APT isn't that hard, but doing so without causing operational interruption is the difficult part. To that end, inventory all applications and services before mounting your mass-cleansing remediation event across the network. Assign ownership -- that is, determine who is responsible for answering questions about each resource, as well as keeping it up and running. Document what user and service accounts are necessary to remain functional.
In addition, assign criticality: Which apps and services must remain active with the least amount of downtime? What is the worst-case scenario acceptable to senior management? In one recent instance, the unacceptable event was the late filing of public financial statements, but everything up to that point was considered reasonable. Other companies define acceptable downtime of their mission-critical apps in hours.
Next, inventory users, computers, service accounts, network devices, and Internet connection points. How many do you have, and where are they? Develop lifecycle management policies and procedures around all of them, from creation and ownership to deletion after they're no longer needed.
Most environments have too many objects, a lack of clear ownership, and a general inability to determine what is justified or needed among existing items. Break the cycle. No action is as secure as removing an object you don't need. For example, companies often end up significantly reducing the number of elevated accounts in their environments. It's great to pare down to the bare minimum during remediation, but how do you keep it that way over the long term?
Last, before remediation day, make sure patching is up-to-date. This can be done ahead of time and is beneficial for many reasons beyond getting rid of an APT. Conduct health checks of your network, your WAN, and your most important infrastructure systems. You want the network and environment operating at top efficiency before you try to push big changes on remediation day.
Game day: Hit the attackers fast and hard
Remediation day should be planned far ahead of time. Have a defined, well-tested set of steps, and plot out timelines and responsibilities. Everyone should know what they are doing and when. At the very least, remediation days usually start with disconnecting the company's network from the Internet so that APT attackers cannot respond to and control what is going on.
Bring all known APT systems offline and completely rebuild. Change all account passwords, including service accounts. Consider requiring two-factor authentication for elevated account use. Test all mission-critical applications and services with the new authentication credentials. Some companies go so far as to completely rebuild their LDAP/Active Directory infrastructures, which is really the only way to significantly minimize APT risk and re-exploitation.