NDR (Network Detection and Response) - Definition & Explanation

NDR (Network Detection and Response) monitors all network traffic—east-west traffic (internal) and north-south traffic (Internet)—and detects attacks based on behavioral patterns. NDR closes the detection gap left by EDR (endpoint) and firewalls.

Why NDR is necessary

Detection gaps without NDR:

Firewall: Blocks known malicious IPs/ports – legitimate C2 over HTTPS: no alert
EDR (Endpoint): Detects malware on endpoints – IoT devices, SCADA systems without EDR agents: blind
SIEM (Logs): Only what is logged – unencrypted internal lateral movement: missing

NDR closes these gaps:

Lateral movement between workstations (SMB, WMI, RPC)
C2 communication via legitimate protocols (HTTPS, DNS)
Data exfiltration within the network
Compromised IoT/OT devices (no EDR agent possible)
No agent required – network tap or SPAN port sufficient

How NDR works

Data collection

Method 1: Network tap – physical intervention between switch ports, full packet capture, ideal for critical segments
Method 2: SPAN port / port mirroring - Switch mirrors traffic to NDR sensor, cost-effective, no hardware required
Method 3: NetFlow/IPFIX - Metadata without packet content (who is communicating with whom, when, for how long), less storage, sufficient for many anomaly detections

Analysis Methods

Signature-based: Known attack patterns (Cobalt Strike C2 communication), known malware network behavior—similar to IDS/IPS, but more modern
Behavioral analysis (ML/AI): Learn the baseline of normal network traffic, detect anomalies (sudden 100 GB outbound traffic), new peer connections (Workstation A suddenly contacts 50 servers)
Threat Intelligence Integration: Check IP/domain against current threat feeds, known C2 domains and malware distribution servers, automatic IoC matching

What NDR detects

Lateral Movement: Workstation A → Port 445 (SMB) → 50 other workstations in 5 minutes → Pass-the-Hash / Ransomware propagation → NDR Alert: Lateral Movement Detected
C2 Communication: Server communicates with unknown domain, traffic pattern every 30 seconds (beacon interval) → NDR Alert: Possible Command & Control Beacon
DNS Tunneling: Exfiltration via DNS queries such as data.base64encoded.evil.com at 1,000 queries/minute → NDR Alert: DNS Tunneling Suspected
Domain Fronting (HTTPS C2): C2 traffic via legitimate CDN domains (Cloudflare, Azure CDN), anomaly: unusual file volumes to CDN → NDR: Data Transfer Anomaly
OT/IoT attacks: Industrial control system communicates with new endpoint, Modbus/SCADA protocol to unknown destination → NDR Alert: OT Protocol Anomaly

NDR vs. IDS/IPS

	Traditional IDS/IPS	NDR
Detection	Signatures	Signatures + ML/Behavior
Zero-Day	Not detected	Anomaly detection
Lateral Movement	Limited	Strength of NDR
False Positives	High	Lower (baseline learning)
Response	Blocking (IPS)	Alert + Automation

NDR Products

Vendor	Key Features
Darktrace	AI-based, Autonomous Response, DACH support
ExtraHop Reveal(x)	Cloud-native, strong M365/AWS integration
Vectra AI	Hybrid cloud focus, Cognito Detect
Corelight	Zeek-based, open-source components
Stamus Networks	Open source (Suricata), DACH partner
Cisco Secure Network Analytics	Cisco infrastructure integration

NDR as part of an XDR strategy

Modern Extended Detection & Response (XDR) combines:

EDR (Endpoint) + NDR (Network) + SIEM (Logs) + SOAR (Response) = XDR / Open XDR Platform

Advantage: Cross-domain correlation:

EDR: PowerShell anomaly on workstation
NDR: Simultaneous SMB lateral movement
SIEM: AD login anomaly
XDR: Correlates all three → highly confident alert: "Active Intrusion"

For most German SMEs with their own SOC: NDR as the next step after EDR + SIEM.