Network Detection and Response (NDR)

How does Network Detection and Response Work? 

NDR的工作方式是将一组安全专业人员聚集在一起，输入要监控的流程, detect, 并响应可能对网络和业务的完整性产生负面影响的警报. Let's look more closely at those processes: 

Detecting Suspicious and Potentially Malicious Activity 

这个过程最重要的方面之一是能够访问有关用户活动的实时信息, application activity, and web activity. Additionally, 网络数据应该易于搜索，以便分析人员能够根据可疑活动加快对警报的调查. 能够构建自定义警报以及访问一个库也很重要 attacker behavior analytics (ABA) 所以这个过程是从大量关于过去可疑活动的信息开始的.

Modeling Baseline Network Behavior 

建立一个通常网络行为和动作的基线是非常重要的，这样自动化系统才能知道什么是正常的，什么是可疑的. For example, user-behavior analytics (UBA) 是否有助于您的团队快速确定潜在威胁是外部攻击者冒充员工还是呈现某种风险的员工, whether through negligence or malice. UBAs将网络上的活动连接到特定的用户，而不是IP地址或资产. 然后将该活动与该用户的正常事件活动基线进行比较.

Detecting Cyber Incidents

NDR解决方案应该能够在检测到事件时采取自动操作. From quarantine, to connection termination, 执行一系列由安全运营中心(SOC)分析师开发的预定义操作, 如今，如果网络边界被攻破，应该有可能迅速拿下攻击者, whether on-prem or in the cloud. 在此过程中采取的行动将包括对事件进行深入分析, reverse-engineering attack methodology like malware, creating intrusion reports.

Creating Threat Feeds 

A threat-intelligence (TI)馈送应该是一个连续的数据流，可以通知自动威胁优先级和修复工作. TI提要应该帮助安全组织弥补其可能缺乏某些威胁的上下文. 威胁提要有多种形式，从开源社区驱动的列表到付费的私人提要. The effectiveness of these feeds strongly depends on a number of factors:

• Intel type (hash, IP, domain, contextual, strategic)
• Implementation 
• Indicator age
• Intelligence source

Contextual intelligence feeds provide analysts not only with indicators of compromise (IOCs) 而且还详细解释了攻击者使用的基础设施和工具. 包含上下文信息的提要对于成功检测威胁要有效得多. 

What are the Benefits of Network Detection and Response? 

The benefits of NDR are vast. There is no limit to the amount of protection, detection, 密切监视网络中的恶意活动并制定快速响应可以带来总体好处——以下是其中的一些好处:

• High-fidelity alerts: Alerts should include plenty of context so you can make better decisions, remediate the problem, mitigate risk, and quickly contain the alert. 
• Behavior-based detections启用高保真网络数据的攻击检测，帮助识别新的攻击者技术的新变化. 
• Ever-evolving detections: Quality alerts should usually detail known, recent adversary groups using similar techniques in confirmed attacks. This way, 一切都是最新的，团队可以确信他们的检测技术是不断发展的.  
• Context: Indicators of attack should surface on the visual timeline of a detection and response (D&R) solution, along with unusual behaviors. 这种组合使您的团队更容易进行调查，并对调查结果充满信心.

What are the Limitations of Network Detection and Response? 

NDR is a must-have, 但是现代攻击者的方法已经超越了网络——你的安全范围也应该如此. NDR is great at examining network logs, 但它不包括端点警报和事件，也不扩展到云.

因此，NDR产品通常不用作独立解决方案. 相反，它们是一套解决方案的一部分，为真实提供全面的覆盖 extended detection and response (XDR). This includes:

User-endpoint Telemetry

User telemetry provides insights on file and network access, registry access or manipulation, memory management, and start-and-stop activity. Unusual behavior detected can include processes that spawn command shells, memory injection attempts, or accessing unusual file locations.

Server-endpoint Telemetry

Server telemetry provides information on extremely differentiated data. Since servers handle so much crucial organizational functionality, XDR遥测技术可以在更宏观的层面上帮助确定事件调查和补救的优先级.

Network Telemetry 

Network telemetry provides insights on traffic, particularly a sudden increase in volume, new network protocols, or anomalous privilege escalations. 高级加密方法通常会阻碍更深入的网络分析，否则可能会阻止威胁行为者. Combined with endpoint telemetry however, network traffic analysis can be a cornerstone of an XDR offense.

Cloud Telemetry

Cloud telemetry provides insights on infrastructure. 这可以包括检测任何云工作负载或部署组件的安全异常. 专门针对组织云的攻击者可以通过适当的凭据轻松获得访问权限, 因此，利用XDR的先进检测技术来更快地寻找威胁并加强云环境是非常重要的.

Accelerated Defense-in-depth

By incorporating attacker behavior analytics as a threat-detection methodology, 团队可以快速开发针对新出现的攻击者行为的新规则，并在发现新技术或新趋势的几分钟内推出检测. uba擅长识别攻击链“横向移动”阶段的漏洞. aba支持在攻击生命周期的所有其他阶段检测攻击者活动.

Gartner, Market Guide for Network Detection and Response, Jeremy D’Hoinne, Nat Smith, Thomas Lintemuth, 14 December 2022.