What is NDR?
Network Detection and Response (NDR) is a cybersecurity solution that has gained a lot of traction in recent years. Network detection and response solutions like NovaCommand take a different approach to network security compared to traditional security tools. While firewalls and intrusion detection and prevention systems (IDPS) are designed to prevent a network breach, NDR is built on the premise that a breach has already occurred. As a result, NDR performs active threat detection and threat hunting.
NDR does this through the continuous monitoring of real-time network traffic. By applying AI-based behavioral analytics to traffic metadata, NDR is constantly comparing real-time network activity with baselines of normal network behavior established using machine learning. The idea is that malicious activity deviates from normal business traffic, showing up as anomalies.
We look at five cyber threats that NDR is especially effective against compared to other security tools.
1. Unknown Malware
Unknown malware is malware that has not yet been discovered, either because it is new (or a modified version of existing malware) or has not been detected in the wild. By contrast, known malware is identified by a signature, that is, specific patterns or attributes unique to the malware. Security technologies such as network firewalls, antivirus, and IDPS mainly rely on a malware signature library to detect known malware in network traffic. However, these protections often fail to detect and block unknown malware.
The beauty of NDR is that it does not rely on signature-based detection to detect malware. Using anomaly-based detection, NDR can accurately detect inconspicuous deviations from normal business traffic to root out unknown threats. NDR is also enhanced with real-time threat intelligence feeds. If unknown malware has been detected in the wild, NDR can quickly pick it up to enhance the detection capability of the malware.
2. Data Exfiltration
Stealing sensitive data such as trade secrets and personal information is one of the main objectives of cyber-attacks. Attackers tend to operate within a compromised network for a period of time to reach high-value data, culminating in the final data exfiltration. Various techniques are employed to conceal this process, for example, encrypting the data and chunking it into smaller packets to resemble normal traffic. As a result, data exfiltration can be very difficult to detect.
Still, NDR is well-equipped to detect data exfiltration. For a start, NDR solutions typically possess traffic decryption capabilities that reveal the content of data packets. Moreover, as much as attackers try to conceal data exfiltration, it is not normal business traffic. Such activity will deviate from normal business traffic in one way or another, such as the destination IP. NDR can detect irregularities in outbound traffic, such as an abnormal amount of traffic flowing to a particular IP address, even though packet size and time of activity resemble business as usual.
3. Spear-Phishing Attacks
Spear-phishing attacks are one of the most common ways hackers gain unauthorized access to an organization’s networks. Attackers craft genuine-looking emails to lure targeted recipients into clicking on a link or opening an attachment to load malware onto their machine. Legacy firewall and endpoint security solutions may not pick up the malware if it is unknown, AI-enabled, or masquerades as a trusted file, such as Office documents. Once the malware is allowed to execute on the victim machine, attackers have the freedom to conduct their stealthy operations to traverse the environment. At this point, detecting the attack becomes more challenging and may result in a data breach.
NDR can model attack patterns associated with phishing attacks such as those defined by MITRE ATT&CK to detect such attacks. What is more, by correlating network-wide traffic across time, NDR can reconstruct the timeline of malicious activity to trace the attack back to its source. This allows security teams to plug the hole to prevent further compromises, such as blocking the IP address or domain from which the original malicious file was downloaded.
4. IoT Attacks
An IoT device is any device, gadget, or machine that can connect to the internet, other than conventional devices such as PCs, laptops, and mobile phones. IoT devices have been widely adopted in business settings, with specialized IoT devices such as medical equipment and industrial machines. However, IoT devices pose a real-world security risk to businesses as attackers are increasingly targeting them to breach enterprise networks. The risks with IoT devices are exacerbated by the fact that many devices lack the computing power to run security software. This means security teams are deprived of precious network visibility, with breaches going undetected and unreported.
The benefit of NDR over other security protections is that it operates without an agent, meaning no client application installation is necessary. Since attackers typically use IoT devices as a pivot to expand their reach in the network, NDR provides the network visibility to pick up their activities, especially if they deviate from normal traffic behavior.
5. DDoS Attacks
A DDoS (distributed denial of service) attack occurs when an attacker attempts to crash a web service by flooding its server with fake internet traffic. Perimeter security protections, such as network firewalls and IDPS can detect and block DDoS attacks. However, a DDoS attack that reaches massive data volumes can still overwhelm them. There are two reasons for this. First, these are in-line network devices that directly receive and forward packets. Second, these devices rely on memory-intensive stateful inspection. This means that they are not equipped to process huge volumes of traffic.
By contrast, NDR is an out-of-band security solution that sits outside of the direct line of traffic and conducts passive packet analysis. Therefore, NDR is not at risk of failing when hit by a DDoS attack. When NDR detects an abnormal spike in traffic, it will alert security operators to carry out an incident response or automatically correlate with other security devices using SOAR rules to deal with the threat.
Follow Techdee for more!