The biggest advantage that is often attributed to the threat (aka bad guys) is time. If they have patience then they have all the time in the world to find your weak spots and abuse them.
I think that’s changing.
We’re obviously no longer dealing with the hobbyist threat. We’re dealing with professionals who are in it for the money. Time is indeed money, which I submit makes the average bad guy use his structured attacks as seemingly fast as he can. They use the majority of their time on the front end and then execute their recon/attack as fast as they can risk.
That doesn’t mean that a particular targeted operation does not take time, but it is an interesting item to keep in mind. With that said, I suspect a bigger advantage they have is the playing field. It’s too easy to not see a targeted attack as the Signal:Noise ratio is spectacularly skewed and too hard to make sense of.
Phishing is a key example: Do we have an automated way of seeing a phish vs a targeted phish vs spam vs ham? We’re getting there but that is a tall order.