Me when an APT show up in A network I defend...
The truth is they usualyy take their time, do oberving for a short period to identify new Techniques and record any IOCs happens, then you start blocking execution and traffic.
With real APTs that get a little harder because they have exploits you may not know, but that's what EDR/XDR is for.
Honestly, a lot of APT engagements are playbooked and mostly predictable.
It's the privateers that do wild stuff.
That sounds like bad news, cap'n!
For real though, are they just the "ransomware-your-system" type folks in it for the money? Would a homelab consisting of a few web services without financial info involved be something that'd catch their attention?
This is a longer conversation to be had... a honeypot may do it, but they are really looking for environments that LOOK like enterprise environments.
and yes, usually what I mean by privateers are these sorts of organizations.
There's a lot of ways to gain intel from them.
A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.