Why Network Detection and Response is Critical to Cyberattack Forensics
Network Detection and Response (NDR) can help enterprises discover and analyze sophisticated cyberattacks with much greater accuracy than through standard forensic tools offered by security vendors, says Brian Day, CEO of Corelight.
Network Detection and Response (NDR) can help enterprises discover and analyze sophisticated cyberattacks with much greater accuracy than through standard forensic tools offered by security vendors, says Brian Dye, CEO of Corelight.
At a very high level, the three major defensive response stages to the Sunburst hack reflect the traditional response to many advanced campaigns: initial discovery, deployment of detection capabilities, and a long tail of forensic work within each organization. We have great capabilities as an industry to deploy detection capabilities once an attack is understood, but the initial discovery and following forensics work are much less developed. This need is directly driving the rise of Network Detection and Response (NDR) as a category.
The largest and most sophisticated defensive organizations have the staff and technical ability to self-engineer their own analytics and to customize toolsets. They were the first to staff threat hunting teams to find what commercially available detection tools missed. They were the first (along with security vendors) to bring data scientists into the Security Operations Center (SOC).
All of these investments in people and technology are to develop their capabilities to discover advanced campaigns, conduct forensic analysis of initial incursions and the scope of the attacks, and confirm successful containment and removal of actors. For most of them, a critical tool in their arsenal is Zeek – the foundation of what many are calling NDR today.
Why Zeek and why NDR? At the core is a simple insight: you need the right data to fuel the quest for both initial discovery and forensics. Data that is the opposite of what the majority of the security industry delivers today. Most of our industry focus is on finding an indicator of compromise, some clue that we can go investigate. These are delivered largely by security vendors who look at data across organizations and distill insights. But for advanced attacks, looking across organizations actually hides the needle in the haystack. Defenders need *their* data to allow them to drive anomaly detection efforts in the context of their own network- a flight data recorder for the network which is compact, well structured, and fit for purpose.
Learn More: How to Build the Best Possible Security Operations Center
While none of the major data sources (network for breadth, the endpoint for depth and system logs for operational insight) are perfect, the network has the unique advantage of being truly reliable. Attackers are constrained by the protocols themselves, so cannot “hide” from the network (even encrypted communications leave signals that threat hunters and analysts can mine). After combining this structural advantage with an open-source heritage, the result is Zeek: the foundation of choice for NDR among the world’s elite.
Aside from enabling discovery of the attack, NDR is uniquely useful for the last major stage: forensics. Especially as sophisticated attacks have well-built endpoint evasion approaches, the network in many cases allows a proper investigation into the past. When did the attacker enter? Have our containment and remediation efforts worked? Most importantly, can we prove it? This last point is critical, as when the adrenaline-fueled response period ends, the long burn of defensible disclosure begins. While analysts are still engaged, the supporting staff shifts from IT to attorneys … and the real spending often begins. Having a view into the present and the past – not with days as PCAP (Packet Capture) provides but truly spanning years – is where the right data makes all the difference.
Learn More: Physical Device Security Is Vital in the Remote Work Era
So the pendulum of innovation continues to swing, and the constructive balance between the three major SOC tools (EDR, NDR and SIEM) evolves. All are critical for their own strengths but together make a compelling defensive toolkit. The critical driver is having the right data for initial discovery and post-detection forensics. That data set of choice is Zeek, the foundation of what many are calling NDR today. If you haven’t investigated the category yet, it just might be your best next move.
Let us know if you liked this article or tell us on LinkedIn, Twitter, or Facebook. We would love to hear from you!
