Network data provides visibility into how users, devices, and applications communicate. Network Detection and Response (NDR) solutions can “hear” packets to help uncover hidden truths and previously undetected security incidents.
What is Network Detection and Response (NDR)?
Network Detection and Response (NDR) is a solution focused on detecting and responding to anomalous system activities and behaviors in network traffic data. NDRs can analyze raw network packets or traffic metadata from within or between internal (east-west) and external (north-south) communication. They can be deployed as a hardware appliance, software application, or a mix of both if the provider offers sensors.
By combining signature analytics and machine learning, NDR tools can identify:
- Unknown malware and ransomware
- Abnormal network traffic flows and patterns, like those indicating lateral movement, data theft, or command-and-control (C2) activity
- Deprecated protocols, like SSL 3.0, TLS 1.0/1.1, FTP, Telnet, SNMP V1-2, SMB v1, and others to check for network hygiene
Typically, an NDR offers the following key capabilities:
- Incident detection: network traffic anomalies and patterns for proactive security management
- Threat investigation: tracking network traffic and patterns to help analysts investigate incidents
- Threat intelligence: collection and analysis of internal and external threat data for correlation with other cybersecurity technologies
- Security alerts: notifications with insight into security posture and potential threats
- Threat prevention: correlations with firewalls and other security technologies to help block suspicious network traffic
How does NDR work?
NDR goes beyond traditional signature-based detection engines and uses artificial intelligence (AI) and machine learning (ML) to detect stealthy threats and help automate response activities. With these analytics, they leverage reliable network packet data to:
- Identify malware without the use of signatures
- Model adversary tactics, techniques, and procedures (TTPs) and map these activities to a known framework, like MITRE ATT&CK
- Contextualize data by correlating events across time, users, and applications
- Stream security detections and threat correlations into a Security Information and Event Management (SIEM) tool
When integrated with other cybersecurity tools, like Security Orchestrations, Automation, and Response (SOAR) technologies, the NDR extends past a detection engine and provides valuable network information to support automated response activities.
Network Detection and Response Challenges
NDRs offer visibility inside the enterprise network that can help detect modern threats. Many organizations face challenges when trying to implement NDR solutions, including the following:
- Immature analytics: To keep pace with the evolving threat landscape, the NDR solution must have robust and actionable analytics that can respond to new TTPs.
- Expanding attack surface: As organizations incorporate new technologies, like Internet of Things (IoT) devices, the NDR must understand normal traffic for these connected devices and applications.
- Cybersecurity skills gap: Many NDR tools require experience with their query languages and technology which makes finding the right staffing a challenge.
- Integrations: NDR solutions provide value when organizations can correlate the insights across their environment yet proprietary schemas often make this impractical.
- High-volume logs: Enterprises produce a staggering amount of logs that can overwhelm NDRs without an intelligent approach to addressing duplicate information and data retention.
NDR and the Gartner SOC visibility triad
In 2015 while working on a Gartner paper, Anton Chuvakin identified three pillars necessary for security visibility which eventually morphed into the SOC visibility triad or security visibility triad. Broader than detection and response alone, the model relies on the premise that organizations are more secure when they run detections across the following three pillars:
- Logs, like with SIEMs
- Network data, like with NDR tools
- Endpoint data, like with endpoint detection and response (EDR) tools
Much like the Swiss-Cheese model, the three technologies often overlap and provide defense-in-depth for better coverage than a single tool. In the SOC visibility triad, NDR solutions provide specific data points the other two fail to capture - network metadata, the authoritative source for identifying hidden threats.
Enhanced perspective
When sophisticated attackers infiltrate a device, the malware may hide within the program that boots up the computer system after powering on. For example, living off the land (LOTL) attacks use legitimate tools such as PowerShell or Windows Management Instrumentation (WMI) to deliver fileless malware. EDR logs may not reflect malicious activities that can leave threat actors to go undetected in the network.
With the SOC visibility triad, NDRs can supplement detection and deliver detection coverage to identify and track communications as soon as the device connects to the network. Additionally, since NDR solutions capture and analyze packet data, they can identify abnormalities indicating advanced and sophisticated attacks that use encrypted tunnels to communicate with C2 servers using similar protocols.
Continuous network visibility
When NDR solutions enrich the network metadata, they can provide continuous visibility connected to all users, devices, and technologies communicating across the network. For example, the NDR can provide visibility into:
- Input sources: Incoming network traffic from network interfaces
- Packet analysis: Processing lower-level protocols as far down as the link layer
- Session analysis: Application-layer protocols, like HTTP and FTP
- File analysis: Dissecting content of files transferred over sessions
Further, an NDR can provide a comprehensive record of every connection seen on the wire, including:
- HTTP sessions with the requested URIs, user agents, key headers, MIME types, and server responses
- DNS requests with replies
- SSL certificates
- Key content of SMTP session
- Kerberos activities
- SMB connection metadata
Advanced threat detection
NDRs can combine this deep network visibility with detection rules linked to Indicators of Compromise (IoCs). By correlating packet data with relevant log events, the NDR can identify threat activities like:
- Obfuscated malware without an active working signature
- Possible Webshell PUT or POST to unusual extensions
- DNS lookups associated with common currency mining tools
- Publicly accessible Remote Desktop Protocol (RDP) services
- File transfers connected to credential data and network shares
Improved SOC operational efficiency
When security teams have an NDR that correlates and scores events, they focus on critical issues and work more efficiently. NDR solutions enhance security operations by presenting data flows within the context of an event and the analysts' broader workflows to save time. For example, contextualizing event data would include correlating:
- Network metadata targeted around the event
- Results from an embedded sandbox
- Actual content payload