NDR

Definition

Explore More Terms

Examples & Use Cases

# NDR (Network Detection and Response)

## Definition
NDR focuses on monitoring and analyzing network traffic to detect suspicious behavior, especially lateral movement and command-and-control communication.

## Why It Matters in Practice
Attackers often move silently inside a network after initial compromise. NDR helps detect:
- Internal reconnaissance
- Lateral movement
- Data exfiltration

## Where It Fits
- SIEM: log-centric
- EDR: endpoint-centric
- NDR: network-centric

Together, they provide wider visibility into your environment.

## Key Points
- Detects threats that bypass endpoint tools
- Useful in encrypted traffic environments using metadata analysis
- Strong at identifying beaconing patterns
- Provides visibility into unmanaged devices

## Common Usages
- Traffic flow analysis (NetFlow, metadata)
- Detecting periodic beaconing (C2 callbacks)
- Identifying unusual protocols or ports
- Machine learning for anomaly detection

## Real-World Example
A compromised host sends small packets every 60 seconds to an external IP.  
NDR flags this as beaconing behavior, indicating possible malware communication.

## Limitations
- Encrypted traffic limits deep inspection
- Requires baseline of normal network behavior
- Can be complex to deploy in large environments

## Further Reading
- [Fortinet - What is NDR](https://www.fortinet.com/resources/cyberglossary/what-is-ndr)
- [Cisco - What is Network Detection Response](https://www.cisco.com/site/us/en/learn/topics/security/what-is-network-detection-response.html)
- [Palo Alto Networks - What is Network Detection And Response](https://www.paloaltonetworks.com/cyberpedia/what-is-network-detection-and-response)

Ndr

Definition

Explore More Terms

Examples & Use Cases