Network Detection and Response (NDR)

What is Network Detection and Response (NDR)?

Network Detection and Response (NDR) is a security solution category that continuously monitors network traffic — both east-west (internal) and north-south (perimeter) — using behavioral analytics, machine learning, and threat intelligence to detect attacker activity that bypasses endpoint and perimeter controls. NDR complements endpoint detection and response (EDR) by covering network-layer activity: lateral movement between systems, command and control (C2) beaconing, data staging and exfiltration, and credential-based attacks that produce no malware footprint for endpoint tools to detect. Together, EDR and NDR form the 'detection coverage floor' of a modern SOC.

Description

NDR operates by analyzing network metadata and, where available, full packet capture — rather than relying on known-bad signatures. This behavioral approach enables detection of novel attacker techniques, encrypted C2 traffic, and low-and-slow lateral movement that would not match any signature-based rule. Key NDR detection capabilities include: anomaly-based detection of beaconing patterns (regular, automated connections at defined intervals characteristic of C2 check-ins); detection of internal reconnaissance (port scanning, SMB share enumeration, LDAP queries at unusual volumes); credential-based lateral movement detection (Kerberos ticket anomalies, Pass-the-Hash patterns, SMB/WMI remoting from atypical sources); and data exfiltration detection (large volumes of data moving to external destinations, DNS tunneling, protocol anomalies). The AI/ML component of NDR is particularly important for detecting behavioral anomalies: encrypted C2 traffic to legitimate-looking cloud domains cannot be inspected at the payload level, but its timing, frequency, and volume patterns often deviate from legitimate application traffic in ways that ML models can identify. NDR also provides forensic value: full packet capture enables retrospective investigation of incidents, answering questions about attacker activity before an alert fired.

Usage and Examples

A red team operates inside a target environment for six days, establishing C2 over HTTPS to a domain registered 18 months prior with a clean reputation. The SIEM generates no alerts. The EDR generates no alerts (no malware deployed). The NDR, however, detects a beaconing pattern from a specific workstation — HTTPS connections to the C2 domain every 4-6 minutes with jitter, consistent with automated check-in behavior rather than human browsing. An analyst investigates, confirms the anomaly, and triggers incident response. This scenario illustrates NDR's detection capability in the lateral movement and C2 phases that EDR-only coverage misses. In real-world deployments, NDR is especially valuable in detecting insider threat activity: bulk data staging and exfiltration produces distinctive network flow patterns regardless of whether endpoint tools are present on the exfiltrating device.

How Does This Relate to Penetration Testing?

NDR detection effectiveness is directly validated by red team engagements that include network-layer attack simulation. Red team operators generate realistic C2 traffic, lateral movement patterns, and exfiltration activity that NDR should detect — measuring mean time to detection and the completeness of NDR coverage across the attack lifecycle. Findings from these exercises tell the SOC team specifically which network behaviors evaded NDR and which detection rules need tuning. Purple teaming sessions focused on network-layer techniques provide a collaborative framework for improving NDR coverage based on the specific attacker TTPs most relevant to the organization's threat model. Evolve Security's Red Team engagements test your NDR's detection coverage against realistic network-layer attack techniques — validating whether your network monitoring would detect the threats that endpoint tools miss.