Network Detection and Response (NDR): Bedrohungserkennung im Netzwerk

Network Detection and Response (NDR) is a security category that analyzes network traffic in real time to detect attacks that bypass endpoint protection solutions. While EDR (Endpoint Detection and Response) monitors individual computers, NDR monitors all network traffic—thereby detecting attack patterns that do not require malware on endpoints (living-off-the-land, pass-the-hash, lateral movement via legitimate protocols).

Why NDR alongside EDR?

Detection gaps in endpoint solutions:

  Attacker technique:         Does EDR detect?  Does NDR detect?
  ─────────────────────────────────────────────────────
  Malware on endpoints        ✓ yes          ○ indirectly
  Fileless malware (LOL)      ○ sometimes    ✓ via network
  Pass-the-hash (no malware) ✗ rarely     ✓ NTLM patterns
  Lateral movement (WMI)      ○ sometimes    ✓ protocol analysis
  C2 over HTTPS               ✗ difficult      ✓ JA3 fingerprint, timing
  DNS tunneling               ✗ rarely      ✓ DNS traffic analysis
  Data exfiltration          ○ sometimes    ✓ Volume + destination
  Compromised IoT device  ✗ no agent  ✓ network behavior
  BYOD without EDR               ✗ no agent  ✓ network behavior
  Insider threat              ✗ difficult      ✓ behavioral baseline

  → NDR covers blind spots that EDR structurally cannot see
  → Optimal: EDR + NDR + SIEM (XDR approach)

NDR Architecture and Data Sources

NDR Deployment Architecture:

Data Sources:

  1. Raw Packet Capture (PCAP):
     → Complete packet analysis including payload
     → Highest detection depth
     → High storage requirements (usually only the last 24–48 hours)
     → Ideal scenario: Taps on core switches and internet gateways

  2. NetFlow/IPFIX/sFlow:
     → Metadata only (IP, port, bytes, packets, timestamp)
     → No payload → More privacy-friendly
     → Scales to very large networks
     → Sources: Switches/routers (Cisco, Juniper), cloud (AWS VPC Flow Logs)

  3. Network sensor/SPAN port:
     → Copy of network traffic sent to sensor
     → Passive (no impact on network)
     → Sensor analyzes traffic and correlates

  Deployment points:
    ┌─────────────────────────────────────────┐
    │  Internet ── Firewall ── [NDR Sensor] ─┤ North-South Traffic
    │                                         │
    │  [NDR Sensor] ── Core Switch ──────────┤ East-West Traffic (LM!)
    │                          │              │
    │                   Server | Endpoints    │
    └─────────────────────────────────────────┘
  → East-West traffic (internal) is often more important than North-South!
  → Lateral movement occurs internally → blind without an internal sensor!

Detection Methods

Detection Engine Types:

1. Signature-based detection:
   → Known malware network patterns (Suricata IDS rules, Snort rules)
   → C2 IP/domain lists (Threat Intelligence Feeds)
   → Malware-specific payload patterns
   → Low false-positive rate, but blind to unknown threats

2. Machine learning and behavioral analysis:
   → Baseline: learn normal behavior (14–30 days)
   → Anomaly detection: what deviates from the norm?

   Examples:
   a) Beaconing detection:
      → C2 malware sends regular check-ins
      → Analysis: regular connections to the same IP/domain?
      → Detect periodicity (e.g., every 3600 seconds ± jitter)

   b) DNS tunneling:
      → Legitimate DNS queries: short, to known domains
      → DNS tunnel: very long subdomain names, unknown TLDs
      → NDR: Statistics on DNS label length, entropy, query rate

   c) Lateral Movement:
      → Unusual SMB/WMI connections between workstations
      → Normal behavior: Workstation → Server, not Workstation → Workstation
      → NDR: New connection pairs, unusual times of day

3. JA3/JA3S TLS Fingerprinting:
   → TLS handshake contains Client-Hello (cipher suites, extensions)
   → MD5 hash of this = JA3 fingerprint
   → Malware families have characteristic JA3 fingerprints
   → Cobalt Strike Beacon: specific JA3 hash known
   → Detection even if traffic is encrypted!

4. JARM (Active TLS Fingerprinting):
   → Server responds to TLS probes in a characteristic manner
   → C2 servers have specific JARM fingerprints (Metasploit, Cobalt Strike)
   → NDR can block known C2 framework fingerprints

Specific Threat Scenarios

NDR Detection in Practice:

Scenario 1 - Cobalt Strike C2:

  Attacker: Cobalt Strike Beacon on compromised workstation
  Traffic:   HTTPS to 185.x.x.x (external IP)
  EDR:       May not detect the beacon (LOL techniques, reflective DLL)

  NDR detects:
  → JA3 fingerprint of the beacon (known from threat intelligence)
  → Beaconing behavior: HTTPS connection every 60s ± 30s jitter
  → Destination IP not in whitelist, geo: suspicious
  → Volume: low but consistent (typical for C2)

  Alert: &quot;Possible C2 Beaconing from Workstation-1 to 185.x.x.x&quot;
  Confidence: High (JA3 + Timing Pattern + Threat Intel)

Scenario 2 - Lateral Movement via Pass-the-Hash:

  Attacker has hash of a domain admin (Mimikatz)
  Connections: Workstation-1 → 10.0.0.x/24 via SMB/WMI
  EDR on Workstation-1: Mimikatz was fileless (Reflective Load)

  NDR detects:
  → Workstation-1 connects to 47 hosts in 10 minutes (Port 445/SMB)
  → New connection pairs: WS-1→WS-2, WS-1→WS-3 (unusual!)
  → NTLM authentications from one host to many → suspicious

  Alert: &quot;Lateral Movement - SMB Scanning from Workstation-1&quot;
  Confidence: High (volume + new connections + NTLM pattern)

Scenario 3 - DNS Exfiltration:

  Attacker uses DNS tunnel for data exfiltration:
  Traffic: DNS queries for very long subdomains
  e.g.: dGhpcyBpcyBzZW5zaXRpdmUgZGF0YQ.exfil.attacker.com

  NDR detects:
  → DNS label length far above average (&gt;50 characters)
  → High entropy of subdomains (Base64-encoded content)
  → Unknown domain (not in DNS whitelist)
  → Query rate: 1 query/second (atypical for normal DNS usage)

  Alert: &quot;Possible DNS Tunneling from 10.0.1.15 to exfil.attacker.com&quot;
  Confidence: High

Scenario 4 - Compromised IoT Device:

  Camera on the network sends traffic to an external IP
  No EDR available on IoT devices

  NDR detects:
  → Camera connects to 1.2.3.4 (not a legitimate cloud service)
  → Volume: 50 MB/h upload (unusual for an internal camera)
  → Port 4444 (known Metasploit default port)

  Alert: &quot;IoT Device Anomalous Outbound - Possible Backdoor&quot;

NDR Solutions Compared

Market Overview of NDR Solutions (2024):

Enterprise Solutions:
  Darktrace:
  → AI approach (&quot;Self-Learning AI,&quot; actively combats attacks)
  → Autonomous Response (RESPOND): automatically blocks
  → Strengths: anomaly detection, cloud version
  → Weaknesses: high false positive rate initially, expensive

  ExtraHop Reveal(x):
  → L7 protocol analysis (decoding of 70+ protocols)
  → Strong combination of NDR and packet analytics
  → Good for east-west traffic analysis in the data center

  Vectra AI (Cognito):
  → AI-focused approach, AWS/Azure cloud support
  → Integration with Microsoft Defender, CrowdStrike
  → Strengths: few false positives, good prioritization

  Cisco Secure Network Analytics (Stealthwatch):
  → NetFlow-based, scales to very large networks
  → Good for ISP environments and multi-location
  → Native integration into Cisco infrastructure

Open-source / SMB solutions:
  Zeek (formerly Bro):
  → Framework for network analysis (no out-of-the-box GUI)
  → Basis for many commercial solutions
  → Script-based detection framework
  → Free, very flexible, high operational overhead

  Suricata + Elastic Stack:
  → IDS/IPS + SIEM combination
  → Elasticsearch, Kibana for visualization
  → Good for technical teams with resources

  SELKS (Stamus Networks):
  → Suricata + Elastic + Kibana preconfigured
  → Community edition free
  → Quick start for smaller teams

NDR in XDR platforms

NDR as part of XDR (Extended Detection and Response):

XDR = EDR + NDR + Cloud Security + Email Security + Identity

Microsoft Sentinel (SIEM) + Microsoft Defender for Network (NDR):

Traffic analytics from Azure VPC Flows
Network Watcher for Azure resources
Integration with Defender for Endpoint (correlation)

CrowdStrike Falcon + Falcon LogScale (NDR):

Falcon Network Detection: NDR component
Correlation: Endpoint + Network → better attack chain

Palo Alto Networks Cortex XDR:

Network Threat Intelligence + EDR
Network sensors (physical and virtual)

NDR → SOAR Automation:

Alert: "Beaconing from Workstation-47" → SOAR playbook:

EDR: Isolate Workstation-47 (automatically!)
Create ticket (Jira/ServiceNow)
Analyst alert (PagerDuty)
Network: Block IP in firewall
Enrichment: Reputation lookup for C2 IP
Timeline: all other connections from WS-47 over the last 7 days

Implementation Roadmap

NDR Implementation: Step-by-Step:

Phase 1 (Weeks 1-2): Baseline
  □ Deploy sensor (SPAN port on core switch)
  □ Enable NetFlow from firewall/router
  □ Learning phase: Record normal traffic for 14–30 days
  □ Categorize initial alerts (FP vs. TP)

Phase 2 (Weeks 3–4): Tuning
  □ Identify and exclude false positives
  □ Whitelists: known legitimate services, update servers
  □ Threshold adjustment: When is an alert triggered?
  □ Define first responders: who handles NDR alerts?

Phase 3 (Weeks 5–8): Integration
  □ NDR → SIEM (forward alerts, correlation)
  □ Integrate threat intelligence feeds (MISP, commercial TI)
  □ NDR → SOAR (automated response actions)
  □ Runbooks/playbooks for common alert types

Phase 4: Ongoing
  □ Weekly alert review
  □ Threat hunting: actively search for NDR data
  □ Coverage review: cover new network segments?
  □ Quarterly NDR health check (false positive rate, alert volume)