Today, organizations grapple with many cyber threats, such as evolving malware, targeted attacks, supply chain risks, and risky employee behavior. Malicious actors deploy advanced techniques to evade traditional security nets, allowing them to gain an initial foothold and establish further control within a network.

Targeted attacks, meanwhile, combine cunning social engineering, credential stuffing tactics, and exploitation techniques to breach systems, steal credentials, and establish control. These methods can achieve damaging objectives, such as stealing, manipulating, or destroying sensitive data. Insider threats further complicate the challenge, as employees or third-party partners, either through negligence or deliberate actions, can compromise data and system integrity in numerous ways.

The effectiveness of threat detection improves with the variety of telemetry sources available. Each type of telemetry excels at identifying specific activities, so by combining multiple streams, security operations centers (SOCs) can detect threats earlier and more accurately pinpoint attacker behavior.

For this reason, network detection and response (NDR) is a fundamental element in a modern enterprise security strategy. By providing deep insights into network traffic, NDR helps organizations identify and eliminate sophisticated threats before they wreak havoc.

“Although it can function as a standalone tool, NDR is a critical enhancement to broader detection and response solutions, such as extended detection and response (XDR) and managed detection and response (MDR),” says Josh Davies, Principal Technical Manager at Fortra’s Alert Logic. “Effective NDR tools analyze north-south traffic a network and the internet, as well as the east-west traffic between internal hosts. This aids in the detection of web attacks, lateral movement techniques, and command-and-control beacons.”

What is Network Detection and Response?

NDR’s core capabilities are:

  • Deep packet inspection (layer 7 visibility)
  • Visibility into north-south and east-west traffic
  • Anomaly detection
  • Automated response

According to Davies, NDR solutions continuously monitor network traffic, applying advanced analytics and machine learning to layer 7 sever network traffic to detect suspicious activities and identify potential threats that could suggest compromise. Importantly, these systems go beyond surface-level monitoring into traffic volumes of destinations (layer 3). They enable security teams to not only identify breaches but also to understand the depth and scope of an attack, including lateral movement and data exfiltration tools.

“One of the critical differentiators of a good NDR solution from other log-based network detection is its use of Intrusion Detection Systems (IDS) and Deep Packet Inspection (DPI) to analyze traffic down to the application layer. Proper network inspection does not rely on flow logs alone. It gives visibility that goes beyond what logs alone can offer, particularly for confirming the success or failure of web app attacks,” Davies explains.

By evaluating traffic down to layer 7, NDR delivers visibility that traditional monitoring tools often overlook, particularly related to complex threats or encrypted traffic. “IDS focuses on signature detection and is super powerful because it can catch threats with greater visibility than a log. It’s essential for attacks like web attacks, where seeing the request and the response is key to understanding if the attack was successful,” Davies explains. “Yet, IDS has been around for some time now and has faced accusations of being dated. By pointing to IDS’s focus on detecting only known threats and limitations in analyzing end-to-end encrypted streams.”

By integrating IDS with NTA, both known and unknown threats can be detected. NTA leverages machine learning to spot anomalies in network behavior, analyzing traffic patterns to identify irregular volumes or unexpected activities. These tools can flag suspicious behavior, such as unusual traffic spikes or unexpected internal communications, helping to detect potential compromises before they escalate. As with all anomaly detections, they will require further analysis by an expert for validation. The benefit is they can surface novel and emerging techniques and identify instances of compromise that traditional analytics may miss.

NDR solutions can inspect encrypted traffic, provided the appropriate certificates are uploaded for decryption. However, as the NDR appliance sits out of band, there can be limitations with end-to-end encryption or perfect forward secrecy (PFS). To address this limitation, networks can be architected to terminate end-to-end encryption at a DMZ (demilitarized zone), but this is not always a security best practice. A better solution is using agents to decrypt and forward traffic at the destination host.

An effective NDR solution includes response capabilities that can act on identified threats. These features should be tailored to detect and neutralize threats in real time, adapting to each threat’s specific behavior. With full visibility into network traffic, the solution can monitor for anomalies like malicious outbound requests to attacker infrastructure or lateral movement, blocking malicious traffic at the perimeter and/or isolating affected systems immediately. By automating the responses process, high-priority threats like ransomware can be rapidly contained, minimizing further spread and reducing manual intervention.

Finally, NDR also tracks remote protocols and file-sharing mechanisms to restrict misuse. If unusual SSH or RDP traffic is detected, access can be limited to protect the network. Log and file integrity monitoring (FIM) correlation provides deep insight so security teams can analyze each threat’s context and adjust strategies accordingly.

NDR

Real-world NDR Use Cases in Network Security

NDR solutions are particularly effective in identifying and mitigating various network threats, including:

Web app attacks — Point of entry

Web apps are the primary entry point for attackers to gain access to a network. By exploiting vulnerabilities or using credential attacks, these malefactors can break through and initiate deeper network breaches. Monitoring this entry point is crucial as it allows security teams to detect early signs of an attack and thwart unauthorized access.

Immature SOCs do not use NDR or even IDS. Instead, they only rely on log detections. It’s important to note that logs have big limitations when it comes to web app attacks.

Reconnaissance

Early detection of reconnaissance activity helps security practitioners limit what attackers can learn about their environment. “By spotting early probes, such as port mapping or unauthorized vulnerability scans, NDR can block further requests essentially cutting off the attacker’s view of the network,” says Davies. “This reduces the information they have to plan a more targeted attack, making the attacker less likely to succeed by keeping them in the dark.”

Web shell — We can see the traffic

When there is a web shell attack, security teams utilizing NDR can monitor traffic going through these backdoors, seeing both the entry and exit points. “Attackers use web shells to maintain persistent access, so the exact flow of traffic between the compromised system and the attacker’s control point needs to be tracked. This monitoring helps identify any commands executed via the web shell backdoor, so we know exactly what the needed remediation steps are to root out the infection when the host has been isolated,” Davies explains.

Monitoring traffic patterns

Another essential capability is the ability to monitor traffic patterns across the network. This entails analyzing data flows and identifying any deviations from the norm. “When unusual traffic patterns are spotted, it can be a sign of potential malicious activity, allowing security teams to zero in on these anomalies and understand if there’s a threat that needs to be addressed,” Davies says.

Installation attempts — Outbound C2 requests

“NDR can even spot installation attempts by observing outbound C2 requests. When malware attempts to establish communication with a C2 server, NDR has the visibility to tell you what was requested and received. This traffic can be analyzed to see what instructions were given, including what files may have been downloading. Having this information enables speedy cleanup by pointing to the attackers’ artifacts and/or next steps,” Davies comments.

Anomaly detection

Detecting anomalies is fundamental to an NDR security approach. By comparing normal versus abnormal behaviors, potential threats can be pinpointed in real-time. Whether it’s unusual login attempts, unexpected data transfers, or system changes, anomaly detection helps flag possible intrusions before they escalate.

Fileless malware attacks

Fileless malware is particularly tricky because it doesn’t rely on traditional files, which makes it harder to detect. Instead, it runs in memory or utilizes legitimate software to execute malicious code. “Often we can see scripts being downloaded which contain the malicious instructions, triggering processes or PowerShell commands,” explains Davies.

Lateral movement

Once attackers are in, they often move laterally through the network to find additional assets to exploit. NDR provides visibility into lateral movement, monitoring internal traffic for signs of unauthorized access to different systems. By identifying lateral movement early, the attack can be contained, and critical systems protected from objectives like ransomware.

Remote protocols & file sharing

Attackers often use remote protocols and file-sharing mechanisms to move through a network undetected. “By monitoring the use of these protocols, especially in unusual contexts, NDR can detect when threat actors try to weasel their way through various parts of the network. This includes observing patterns in RDP, SMB, and other protocols,” says Davies.

Monitoring high volumes of sessions

When there’s an increase in session activity, such as a high volume of SSH connections, it can indicate brute force attacks or unauthorized access attempts. By tracking the number of sessions attempted and analyzing their source, NDR can spot unusual SSH traffic that may suggest a cybercrook is trying to establish persistent access.

Brute force attempts

Brute force attempts are a telltale sign of bad actors working to gain access by guessing credentials. “A good NDR solution monitors for patterns that indicate repeated login attempts over a short period, allowing companies to detect and respond to brute force attacks. By flagging these attempts, unauthorized access can be prevented before it leads to a breach,” he adds.

Cross correlation

To better understand what’s happening on the network, correlate NDR events with log data and other telemetry. Tools like extended detection and response (XDR) focus on aggregating these telemetry sources for investigation and alert enrichment. “This correlation helps security teams’ piece together the full picture, allowing them to identify where attacks may be happening, how they’re evolving, and how best to respond. Cross correlation is crucial for efficiently differentiating between legitimate activities and potential threats.” Davies says.

A Critical Component of Detection & Response Solutions

NDR represents a critical layer of detection and response solutions for organizations seeking to enhance their cybersecurity defenses. By leveraging deep packet inspection, integration with other controls for response, and robust playbooks, NDR fills the visibility gaps left by traditional log-based monitoring and endpoint tools.

Our managed security services, including Fortra XDR and Fortra’s Alert Logic MDR, utilize NDR as part of our overall solutions. Want to learn more? Schedule a demo.

 

Kirsten Doyle
About the Author
Kirsten Doyle
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data center.

Related Post

Ready to protect your company with Alert Logic MDR?