All posts

NDR – Now Done Realistically

SE Labs launches first public Network Detection and Response test

Network Detection and Response

SE Labs tested VMware NSX Network Detection and Response against a range of hacking attacks designed to compromise systems and penetrate target networks in the same way as criminals and other attackers breach systems and networks.

Full attack chain test in the datacentre

By running the most realistic set of attacks possible we put NDR products to a significant challenge. Can they detect real attacks in real-time, often using unique scripts and malware? If you want to know more about advanced persistent threats on the network please read past the initial graphs in this report and dig into the detail.

Full chains of attack were used, meaning that testers behaved as real attackers, probing targets using a variety of tools, techniques and vectors before attempting to gain lower-level and more powerful access. Finally, the testers/attackers attempted to complete their missions, which might include stealing information, damaging systems and connecting to other systems on the network.

Network Detection and Response security testing

Network Detection and Response products are designed to recognise attacks as they pass through one or more networks. In other words, they are like CCTV systems monitoring the flow of information running through an organisation, data centre or other infrastructure.

There are a few different ways to test NDR solutions, many of which are so synthetic as to be misleading. You could run a tool that pushes network packets containing elements of an attack, for example. This might trigger a detection by the NDR sensors. Or it might not. It depends how those sensors are designed.

Only a real attack looks like a real attack

A very accurate sensor might not generate an alert when analysing such ‘fake’ test traffic. Ideally it would only alert on a real attack so that the team in the Security Operations Centre (SOC) focuses on significant events only. Parts of an exploit, malware or suspicious login are not a threat. Only a real attack looks like a real attack.

A basic sensor might report problems with every packet that appears to be bad without looking at the context. For example, if a user logs into a system that they use regularly, an unsophisticated system might register that as a problem. A more intelligent one would recognise that all is well and hold back the alert. But it might sound the alarm if the same user logs in from an unusual part of the network. This could be a sign of an attacker moving between systems and using stolen login credentials.

In our tests we make no assumptions about how security products work and run full attacks, from the very first stages through to completing the final ‘mission’, which might be data damage, theft or the creation of a persistent presence.

MITRE ATT&CK-compatible

We replicate the behaviours of real-world attackers and use the MITRE ATT&CK framework to map out the attack chains used in every test case.

Full attack chains, clearly illustrated

We also perform benign activities to ensure that the product we are testing isn’t just alerting without discrimination.

By running the most realistic set of attacks possible we put NDR products to a significant challenge. Can they detect real attacks in real-time, often using unique scripts and malware? If you want to know more about advanced persistent threats on the network please read past the initial graphs in this report and dig into the detail.

Featured podcast:

Contact us

Give us a few details about yourself and describe your inquiry. We will get back to you as soon as possible.

Get in touch

Feel free to reach out to us with any questions or inquiries

info@selabs.uk Connect with us Find us