In today’s cybersecurity landscape, security operations teams are inundated with telemetry data, yet they often struggle to answer fundamental questions during incident investigations: What transpired? What evidence supports this? Are we seeing the complete picture in context?
Addressing these queries necessitates moving beyond mere alerts, which typically serve as the starting point for initial triage. Effective investigations demand defensible evidence rather than assumptions, as alerts often provide limited context.
The rapid acceleration of vulnerability discovery, termed the ‘Mythos Era,’ has rendered alerts less effective. Organizations find it challenging to manage the sheer volume of new findings using existing workflows. Even with enhanced automation, security operations teams require validated evidence of active exploits and exposures, not just raw telemetry.
As artificial intelligence accelerates both offensive and defensive cyber activities, it’s imperative for security teams to establish frameworks that allow for the validation of findings, comprehension of attacker behaviors, and the interception of suspicious traffic before it culminates in a breach.
Richard Bejtlich’s publication, ‘NDR Essentials: A Practical Guide to Network Detection and Response,’ developed in collaboration with Corelight, delves into how Network Detection and Response (NDR) assists practitioners in navigating the complexities of modern networking. This complimentary guide serves as both an introduction to NDR and a practical resource for teams aiming to bolster threat hunting and AI-assisted investigations.
The Case for Network Interdiction
Many security programs predominantly emphasize prevention. However, Bejtlich contends that organizations cannot solely focus on preemptive measures. Effective security requires attention and control throughout the entire attack sequence.
If preventive controls were infallible, issues like stolen credentials, malware infiltration, and unauthorized data exfiltration would be nonexistent. Yet, such incidents are commonplace.
Therefore, Bejtlich advocates for a focus on interdiction: the identification and disruption of malicious activities before attackers achieve their objectives. Successful defense hinges on an organization’s ability to isolate and contain threats after initial compromise but prior to a full-scale breach. Interdiction shifts the emphasis from passive blocklists to active threat disruption within the network perimeter, facilitating vulnerability mitigation and threat containment to halt attacks before adversaries accomplish their missions.
The guide elucidates how NDR supports interdiction by offering visibility into network traffic. Four primary sources of network evidence are highlighted:
- Full packet captures
- Extracted files
- Transaction logs
- Alerts and detections
Modern NDR transcends passive defense mechanisms by enabling active intervention. It equips security teams with the situational awareness and context necessary to prevent attack propagation and preserve high-fidelity network evidence.
Threat Hunting Begins with a Hypothesis
A particularly insightful chapter in Bejtlich’s guide addresses the evolution of threat hunting to counteract contemporary attacker techniques that evade traditional detection methods.
Bejtlich asserts that threat hunting should not be reactive, based solely on alert follow-ups. Instead, it should commence with a hypothesis regarding adversarial techniques. Analysts then test this hypothesis by querying network logs and sessions to confirm or refute their theories.
Network evidence remains central to this investigative process. Network-based techniques that support proactive threat hunting include:
- Identifying executables
- Investigating unusual protocols
By adopting a hypothesis-driven approach, security teams can proactively uncover and mitigate threats that might otherwise remain undetected.
In summary, as the ‘Mythos Era’ introduces unprecedented challenges in cybersecurity, Bejtlich’s insights underscore the necessity of integrating NDR into security strategies. This approach not only enhances threat detection and response but also empowers organizations to proactively disrupt adversarial activities, thereby fortifying their overall security posture.
