1 Introduction
Commercial, government, and non-profit organizations of all kinds increasingly find themselves under cyber-attacks these days. Ransomware, fraud, credential theft, personal information and intellectual property leaks occur daily around the globe. IT teams mitigate the risks by employing and deploying a wide array of cybersecurity tools.
Network Detection & Response (NDR) solutions are designed to help security analysts discover evidence of current or past malicious activities on the network and/or in the cloud. NDR tools are effectively “Next-Generation Intrusion Detection Systems” (IDS). One of the significant differences between NDR and old IDS tools is that NDR tools use multiple Machine Learning (ML) techniques to identify normal baselines and anomalous traffic, rather than only static rules or IDS signatures. Given the volumes of network connection data that must be analyzed, using ML algorithms and models is a “must” rather than a “nice-to-have”. Historically, the major drawbacks to IDS were that it was labor-intensive to operate and could generate high numbers of false positives.
These security tools were created to discover and remediate certain types of attacks. Advanced Persistent Threats (APTs) are often perpetrated by actors from state intelligence agencies to gather intelligence on foreign companies and agencies, copying intellectual property, or sabotage. APT actors may also include well-funded but unscrupulous companies and hacktivist groups. Their goals often require long-term presence on victims’ properties, hence the use of the term “persistent”. APT groups have historically been the most likely ones to use Zero-Day exploits (those which were previously unseen in the wild), that may give them the advantage of not being detected by endpoint agents.
NDR has emerged as an additional tool to discover hitherto unknown compromises. Since data exfiltration is usually an objective of attackers, even in contemporary ransomware cases executed by cybercriminal units, properly deployed NDR tools can be better suited at discovering lateral movement from the initial compromised device to other assets within the target organization, use of compromised privileged credentials, and data exfiltration attempts. They can also help discover and remediate more common attacks such as unwanted bot activities, credential theft, and insider threats.
NDR tools are also deployed to provide visibility in OT/ICS/IIoT environments where it may not be possible to implement endpoint agent-based solutions. Enterprises often separate OT/ICS and IIoT devices onto their own networks for containment purposes. Such network segmentation is indeed useful, and the control points between these specialized networks and general-use and back-end networks are logical places to deploy NDR sensors.
NDR solutions can log all activities from attached networks in a central secure location for both real-time and later forensic analysis. They are usually implemented as a mix of appliances, virtual appliances, and IaaS VM images. Alternatively, some vendors take a more lightweight approach of receiving telemetry and optionally packet captures from network devices and analyzing and acting upon that, instead of in-line or using traffic mirroring deployment models. Proper design of NDR deployments is necessary to monitor all traffic flows.
A key differentiator for NDR is the employment of ML algorithms for detection. At a high level, unsupervised ML finds outliers or anomalies in traffic patterns; while supervised ML models categorize possible threats among the outliers, classify malicious activities, domains, and other attributes.
In terms of responses, NDR solutions can provide dashboards/alerts/reports, display real-time visualizations, allow drilldowns into details, enrich discoveries with threat intelligence, correlate events and provide automated analysis, halt suspicious traffic, isolate nodes, and send event data to SIEMs, SOARs, and forensic/case management applications. In cases where vendor products operate in passive mode, they direct 3rd-party security tools via APIs to execute these responses.