Word Notes 9.22.20
Ep 16 | 9.22.20

Network Detection and Response (NDR) (noun)


Rick Howard: The word is in NDR.

Rick Howard: Spelled: N as in Network, D as in Detection and R as in Response.

Rick Howard: Definition: NDR tools provide anomaly detection and potential attack prevention by collecting telemetry across the entire intrusion kill chain on transactions across the network, between servers, hosts, and cloud workloads, and running machine learning algorithms against this compiled and very large data set.

Rick Howard: Example sentence: The telemetry collected by NDR tools provides a good use case for machine learning algorithms.

Rick Howard: Context: NDR is an extension of the EDR, or endpoint detection and response idea that emerged in 2013. Before EDR, older endpoint security tools depended, and still do depend, on signatures of known things like ransomware, phishing schemes and malware that is fine for known attacks, but provides zero protection for new attacks that nobody has ever seen before. By continuously collecting vast amounts of data from every endpoint in the environment, EDR tools can then apply machine learning algorithms on the data designed to find abnormal behavior and perhaps discover new attacks.

The seminal Lockheed Martin intrusion kill chain paper, published in 2010, made the point that cyber adversaries must complete a sequence of steps across the intrusion kill chain to be successful. These adversary actions target victim endpoints and traverse to target victims networks. It makes sense, then, that NDR is an extension of the EDR idea. With NDR, Network, defenders can now see intrusion kill chain activity on the network, not just the host. 

XDR, or extended detection and response, is an attempt to combine both ideas. With EDR and NDR, you can now monitor the entire kill chain. With XDR, you might be able to combine it. 

Network defender note: The concepts of EDR, NDR and XDR are easy to grasp, but how security vendors implement those concepts in real security tools varies widely. Caveat emptor! 

In 2016, Rob Joyce, then the head of the NSA's Tailored Access Operations Unit, or TAO, the cyber offensive arm for the NSA, the Mr. Robot for the US government, gave an unprecedented task at the USENIX Enigma conference, where he described the thought process that his team used to break into their targets for the US government.

Rob Joyce: "I'll tell you, one of our worst nightmares is that out-of-band network tap that really is capturing all the data, understanding anomalous behavior going on, and somebody is paying attention to it. So rewind all the way back to the beginning of my talk where I said, you've got to know your network, understand your network, because we're going to." 

Rick Howard: He said, "Know your network, understand your network because we're going to." NDR technology will help you do that.

Rick Howard: Nerd reference: In the 1996 movie Independence Day, starring Will Smith, Bill Pullman and Jeff Goldblum. Goldblum playing David, the geeky satellite scientist, discovers the aliens attack signal.

Jeff Goldblum: "Marty, listen to this. I got a lock on the pattern of that signal and so we can filter it out. But if my calculations are right, it's going to be gone like seven hours anyway. It's reducing itself every time it recycles. So eventually it's going to disappear. You listening?" 

Unknown: "Can you believe this?"  

Rick Howard: Just like a cyber adversary hiding in the noise of normal day-to-day network traffic, the aliens attacks signal in the normal noise of satellite transmissions. David was able to write his own NDR tool to discover it.