What are NDR solutions and how can they help build reliable cyber defense?
NDR solutions analyze network traffic to build models that determine what traffic is normal on the network, and then raise alerts if outliers occur.
Network Detection and Response (NDR) uses non-signature-based techniques (unlike anti-virus software that uses signatures), such as machine learning, to detect anomalous and suspicious traffic that could indicate a cyberattack.
American research and consulting IT company Gartner wrotethat in addition to monitoring traffic flowing from north to south across the enterprise perimeter, NDR solutions can also monitor connections from east to west by analyzing traffic from installed network sensors.
Responsiveness is also an important function of NDR solutions. Automatic responses (such as sending commands to the firewall to drop suspicious traffic) or manual responses (such as providing threat and incident response tools) are common elements of NDR tools.
While NDR can solve a lot of network problems, it is especially good at dealing with cyberattacks. Let’s take ransomware as an example.
How NDR struggling with ransomware
Ransomware attacks are currently on the rise, causing millions of dollars in damage to organizations in the form of ransomware, lost productivity and consumer confidence.
The Sophos State of Ransomware Report 2021 shows that the average cost of fighting a ransomware attack in 2021 was $1.85M, higher than the 2020 average of $761K. These costs cover all the steps needed to recover from a ransomware attack. These include:
- ransom payment;
- costs associated with outages when IT systems are unusable;
- losses due to downtime of equipment controlled by IT systems;
- overtime pay for staff during the recovery period
- and much more.
As of 2021, the actual average ransom was just $170,404.
Triad of visibility Information Security Monitoring Center (security Operations Center, SOC)
While NDR solutions are critical to network security, it is equally important to have a framework that NDR fits into. One such approach is the visibility triad of SOC, a concept that means that deploying complementary security tools that compensate for each other’s shortcomings greatly reduces an attacker’s chances of achieving their goals.
The three pillars of the SOC visibility triad are:
- EDR for endpoint security;
- SIEM for log processing and event correlation;
- NDR to analyze behavior from a network perspective.
Today, security leaders are turning to a security model that extends log management and endpoint protection with NDR tools. The NDR component compensates for the weaknesses of SIEM and EDR, and together with them provides complete security and “transparency” of complex IT environments.
Each of these segments deals with a different part of the anatomy of an attack. The IT department should cover all 3 components in order to increase the likelihood of attack detection and early detection. Let’s consider all components separately.
Security event management system (SIEM)
According to experts, more than 80% of successful hacks involve compromised credentials. Therefore, it is vital to have an understanding of what normal and abnormal behavior looks like on a network.
Let’s say someone tries to login 200 times in less than a second. In this situation, you must quickly take action, such as disconnecting this device from the network. In an environment with a large number of users, IT professionals need a way to collect all relevant logs, aggregate them, and analyze them. User behavior analysis and log aggregation are key.
Detection of malicious activity on the endpoint points and response on it (Endpoint Detection & Response, EDR)
When assets are compromised, cybercriminals are one step closer to gaining privileged access, with devastating consequences. Unlike antiviruses, whose task is to deal with typical and mass threats, EDR solutions are focused on identifying targeted attacks and complex threats.
network detection and response (NDR)
NDR solutions are designed to detect network intrusions, as well as:
- triage cyber defense issues;
- focusing on the most important objects of cyber defense;
- noise filtering.
NDR allows incident responders and SOC operators to get to the really important elements, getting ahead of problems and determining their actual impact.
The idea is to catch the exploit at the very beginning, to see the traces before the full impact of the exploit is shown. NDR is about detecting anomalies so that you can then stop and fix the exploit and prevent future attacks.
NDR solutions mainly use non-signature-based methods (machine learning or other analytic methods) to detect suspicious traffic on corporate networks. NDR tools continuously analyze raw traffic and flow records to build models that reflect normal network behavior. When NDR tools detect suspicious traffic patterns, they issue warnings.
The diagram below shows where NDR is located and how it is a key source of reliable network information.
SIEM and EDR are important solutions, but they still leave blind spots in the east-west corridor where attackers can hide after bypassing perimeter defenses. By using a networked approach, NDR fills these critical visibility and coverage gaps. Advanced NDR solutions are also capable of monitoring and analyzing encrypted traffic.
Early detection of violations
NDR solutions continuously monitor network traffic, analyzing communications to detect anomalies and detect suspicious behavior. This allows you to respond to unknown security threats not detected by other technologies.
The average time from discovery of a violation to its safe resolution was 287 days in 2021. At the same time, attackers develop new malware every day for which no signature has been created. This is why the NDR solution does not rely on signatures, but uses machine learning to detect anomalies.
Three steps NDR
By applying machine learning techniques, modeling baselines, and analyzing user behavior on the network, NDR tools can detect and alert you to hidden malicious activity.
The traditional method for detecting anomalies in network traffic is statistical analysis looking for spikes in traffic and deviations from baselines. Let’s look at a number of different tools that an NDR solution can use for discovery.
machine education (Machine Learning, ML)
Machine learning continuously calculates and analyzes the entropy between individual parties in a network to distinguish between human and computer behavior. Thus, NDR solutions detect various types of attacks on network services that manifest themselves with very low entropy due to the repetitive network pattern they generate. For example, if a cybercriminal performs a brute force attack, the ML system can detect this.
An adaptive baseline is a basic analysis of individual hosts, determining their behavior on the network, and comparing the behavior of individual hosts with each other. For example, you may find that one host generates many more emails than others on the same network, which could indicate compromise, spamming, etc.
Heuristic algorithms look for certain symptoms in the network and work with probability. For example, in peer-to-peer traffic, you look for several different symptoms and calculate that there is, for example, an 80% chance that a particular device is probably connected to some kind of BitTorrent network.
User Behavior Analysis
For example, IT professionals may find that a certain type of connection does not match a legitimate pattern on the network. Let’s say someone suddenly connects to SSH and transfers a lot of data. This will be flagged as a potentially successful cyberattack.
Many NDR solution providers include open source threat intelligence data in their offerings to provide added value. These can be commercial feeds containing known malicious IP addresses, hostnames, domain names, fingerprints, etc.
The response capabilities of NDR solutions can be divided into 2 groups – manual response and automatic response.
For manual response, NDR solution providers are improving their threat hunting and incident response capabilities by improving workflow options, such as helping incident responders properly prioritize which security events they need to respond to first.
Here, the NDR tools focus on other additional security solutions that it can automate the response to. For example:
- firewall – sending a command to the firewall to drop suspicious traffic;
- NAC (Network Access Control, network access control) – sending commands to the NAC solution to isolate the endpoint;
- EDR – NDR instructs EDR to work with compromised endpoints;
- SIEM – sending events detected by the NDR tool to SIEM tools;
- SOAR – a tool for the coordination and management of security systems – allows you to collect and correlate events.
attack structure MITER
MITER is a publicly funded research organization created by the Massachusetts Institute of Technology. MTRE is also funded by NIST and has ties to the CIA, FBI, and NSA.
The MITER framework was originally designed to structure the tactics, methods, and procedures (TTPs) that attackers use to carry out an attack. In addition, the blue and red teams use MITER during training in the cyber arena.
With MITER, IT can pool resources and efforts to stay ahead of potential threats. In addition, this structure allows IT professionals not only to learn the anatomy of an attack, but also to pretend to be an attacker as a preparation. Thus, the IT department can create a reliable infrastructure to deal with threat actors and potential attacks in the future.