One of the greatest threats to cyber security is the relatively recent increase in intrusion campaigns conducted by well trained, well-funded and patient adversaries. These groups are known as advanced persistent threats and they are a growing concern for governments and industries around the world. APTs may be backed by terrorist organisations, hacktivists or even nation state actors, conducting covert cyber-warfare against other countries. Due to the advanced capabilities of these groups, a non-targeted, catch-all defence strategy is unlikely to be successful. Instead, potential targets of APTs must be able to research and analyse previous attacks by the groups in order to tailor a cyber defence triage process based on the attacker’s modus operandi. In this paper we attempt to do just that using Diamond Model and kill chain analysis to craft a course of action matrix for three example APT groups.