TTechclick ⚡ XP 0% All lessons
Network Security · NDR · Network Detection & ResponseInteractive · L1 / L2 / L3

Network Detection and Response (NDR): — Seeing the Attacker the Firewall Missed

Your firewall blocked 10,000 known-bad packets today and felt like a win. But the one phished user who clicked a link is now inside, using normal ports and TLS, and prevention is blind to him. NDR is the CCTV for your corridors — it watches the traffic already inside and catches the breach in motion.

📅 2026-06-11 · ⏱ 13 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

NDR explained for L1/L2 SOC and blue-team engineers: how Network Detection and Response watches east-west + north-south traffic, baselines behaviour, reads encrypted traffic (JA3/JA4) and maps to MITRE ATT&CK to catch beaconing, lateral movement and exfil.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why NDR

Prevention's blind spot once the attacker is inside.

 2

How it detects

Baselining, ML on metadata, JA3/JA4, ATT&CK.

 3

NDR in the SOC

The EDR + NDR + SIEM triad and response.

 4

Running NDR

Sensors, tuning, and a worked beacon hunt.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. A phished user clicks a link and malware lands on his PC. The firewall logged the original web request as 'allowed'. Will the perimeter firewall now see the malware's regular call-home traffic as a threat?

Answered in Why NDR.

2. Malware on an internal host beacons to its server every 60 seconds over HTTPS. What is the MOST reliable signal an NDR uses to spot it?

Answered in NDR in the SOC.

3. To catch a host quietly scanning other internal servers, which traffic must your sensor actually see?

Answered in How it detects.

Most engineers think…

Most engineers think "we have a next-gen firewall and an IPS, so the network is covered — if something bad shows up, it gets blocked." So they picture the perimeter as a wall that keeps everything dangerous outside.

Wrong — and it's the assumption attackers count on. Prevention only inspects traffic that crosses it, and it mostly matches signatures of things already known to be bad. The moment one phished click puts an attacker inside, he uses ordinary ports, normal-looking TLS and legitimate admin tools to move laterally and steal data — none of which trips a signature. NDR watches the traffic already inside the building (east-west and north-south), learns what normal looks like, and flags the behaviour — beaconing, lateral movement, exfil, DNS tunnelling — that prevention is structurally blind to. The wall is real; it just has no cameras behind it.

① Why NDR — prevention is a wall with no cameras behind it

Meet Sneha, an L1 SOC analyst at Infosys. Her dashboard shows the perimeter firewall blocked tens of thousands of known-bad packets overnight — a comforting green number. But last Tuesday a finance user clicked a link in a convincing invoice email, and a foothold quietly landed on his PC (10.20.4.17). The firewall logged that web request as allowed — because to it, it looked like normal browsing. From that moment the firewall is blind to what happens next.

Here is the structural problem. A prevention control (firewall, IPS) can only inspect traffic that physically crosses it, and it mostly decides using signatures — patterns of things already known to be malicious. Two gaps fall straight out of that: anything never seen before has no signature, and anything that never crosses the firewall — like one internal server talking to another — is simply not on its radar.

👉 So far: the firewall guards the door, but once an attacker is inside he uses normal traffic the firewall already waved through. Next: the two directions of traffic NDR watches.

Networks have two directions of traffic. North-south is traffic in and out to the internet — it crosses the firewall, so prevention sees it. East-west is traffic between internal systems: the foothold PC probing the file server, then pivoting to the domain controller. That east-west traffic almost never touches the perimeter firewall, so it is exactly where an attacker hides — and exactly what NDR is built to watch.

Figure 1 — The firewall guards the front door; NDR watches everyone already inside the building
The firewall guards the front door; NDR watches everyone already inside the building A big-picture diagram. On the left an attacker on the internet sends traffic to the perimeter firewall and IPS, which block known-bad signatures. One allowed session slips through (a phished user clicking a link) and becomes an internal foothold. Inside the building the NDR sensor sits on a network tap or SPAN port and watches both north-south traffic to the internet and east-west traffic between internal servers. Red marks the attacker and the foothold, blue marks the inspected internal zone, amber marks the NDR detection point, lime marks the key insight that prevention only sees the perimeter while NDR sees the inside. Prevention guards the door — NDR watches what is already inside Attackerinternet · 203.0.113.45 Firewall + IPSblocks known-badsignature match one phished sessionlooks allowed → Inside the building (your network) Foothold host10.20.4.17 (user PC) File server10.20.9.3 DC / LDAP10.20.1.10 DB server10.20.9.40 east-west probe lateral move NDR sensorTAP / SPAN · reads metadata sees N-S + E-W Why the gap matters• firewall/IPS see only traffic crossing them• once inside, the attacker uses normal ports• signatures miss never-seen-before tools• NDR watches behaviour, not just bytes→ it catches the breach in progress attacker / untrustedinspected / trusteddetection / decisionkey insightbenign / allowed
Read left-to-right: the firewall blocks known-bad at the door, one phished session slips in (amber), and the NDR sensor on a tap watches both the internet path (north-south) and the internal server-to-server path (east-west) where the attacker now moves.

So what does NDR actually consume? It taps a copy of network traffic — via a hardware TAP, a switch SPAN/mirror port, or flow records (NetFlow/IPFIX) — and turns those packets into metadata: who talked to whom, when, how often, how many bytes, which TLS fingerprint, which DNS names. Because it sits out-of-band (off to the side, not in the data path), it can never become a bottleneck or accidentally drop your production traffic — it just observes.

Four behaviours prevention misses — and NDR catches

Tap each card. These are the four moves an attacker makes once inside, none of which trips a perimeter signature.

📡
Beaconing (C2)
tap to flip

Malware checks in to its server on a regular timer over normal ports. So: the give-away is the rhythm, not the payload.

🧭
Lateral movement
tap to flip

The foothold host suddenly talks to servers it never spoke to before (SMB, RDP). So: 'new peer for this host' is the tell.

📤
Data exfiltration
tap to flip

Small requests in, huge volume out to an odd destination. So: the byte-ratio and rare-destination flip the alarm.

🕳️
DNS tunnelling
tap to flip

Data smuggled inside DNS queries to a single domain. So: long, high-entropy query names at high volume stand out.

Daily-life analogy — the society gate-pass register vs CCTV in the corridors

Your apartment society's gate guard is the firewall: he checks IDs at the entrance and turns away known troublemakers. But once a delivery boy is inside with a valid gate-pass, the guard has no idea he's now wandering floor to floor trying door handles. NDR is the CCTV in the corridors and lifts — it doesn't stop people at the gate, it watches behaviour inside and raises an alarm when someone who 'belongs' starts acting like they don't. You need both: the gate for the obvious, the cameras for the sneaky.

Quick check · Q1 of 10

Rahul at TCS argues: "Our IPS already inspects all traffic, so NDR is redundant." What is the single best counter?

Correct: a. The IPS inspects traffic crossing it (largely north-south) and leans on signatures, so a no-signature attacker moving east-west between internal hosts is invisible to it. NDR watches that internal behaviour out-of-band. NDR generally does not decrypt everything (it uses metadata/fingerprints); and NDR is detect-and-investigate, not an inline blocker, so 'faster blocking' is wrong.

Pause & Predict

Predict: a host inside your network is exfiltrating stolen data, but it's doing so over HTTPS to a normal-looking cloud-storage domain on port 443. Name ONE thing an NDR can still notice even though it cannot read the encrypted contents. Type your guess.

Answer: Plenty — because shape survives encryption. NDR can flag the lopsided byte ratio (tiny upload requests but a huge sustained out-bound volume), a destination this host has never used before, an unusual time-of-day, a long-lived connection, or a JA3/JA4 TLS fingerprint that doesn't match a normal browser. None of that needs the plaintext. That's the core idea of the next section: NDR judges behaviour and metadata, not payload.

② How NDR detects — baselining, metadata, encryption & ATT&CK

The heart of NDR is one shift in thinking: instead of asking "does this packet match a known-bad pattern?" (the IDS question), it asks "is this behaviour normal for THIS host?". To answer that, it first learns a baseline — what each host and each role usually does — typically over a learning window of around two weeks. After that, a connection that breaks the baseline scores high even if no signature exists for it.

Crucially, NDR does this on metadata, not payload. From every connection it extracts the timing, byte counts, ports, connection duration, the SNI, the certificate fields, and the DNS query shape. Machine learning then clusters hosts into peer groups (all the developer laptops behave alike; all the print servers behave alike) so 'abnormal' is judged against the right neighbours, not the whole network.

👉 So far: NDR learns normal, then scores deviation on metadata. Next: the part everyone worries about — how it still sees through encryption.

Over 85% of modern attack traffic rides inside TLS, so "just decrypt everything" sounds tempting — but it's costly, breaks on pinned certs, and raises privacy and compliance headaches. Encrypted-traffic analysis sidesteps it. The handshake leaks features even when the payload doesn't: a JA3 / JA4 fingerprint hashes the client's TLS Client Hello, and malware's home-grown TLS stack frequently fingerprints differently from Chrome or Firefox. Add packet sizes, timing, a self-signed or brand-new certificate, and a rare SNI, and you can flag a C2 channel without decrypting a single byte.

Finally, NDR makes its findings actionable by mapping each detection to a tactic and technique in MITRE ATT&CK. A beacon becomes T1071 (Command-and-Control over a standard application protocol); an internal scan becomes T1046 (Network Service Discovery); data smuggled out becomes T1048 (Exfiltration Over Alternative Protocol). That common vocabulary is what lets an analyst chain isolated alerts into one coherent attack story.

Figure 2 — NDR turns raw packets into a baseline, then flags the behaviour that breaks it and names the ATT&CK move
NDR turns raw packets into a baseline, then flags the behaviour that breaks it and names the ATT&CK move A left-to-right pipeline. Step one a tap or SPAN feeds raw packets and flow records into the NDR sensor. Step two the sensor extracts metadata such as flow timing, byte counts, JA3 and JA4 TLS fingerprints, certificate fields and DNS query patterns, without decrypting the payload. Step three machine learning builds a fourteen-day baseline of what normal looks like per host and per role. Step four current traffic is scored against the baseline and obvious signatures, so a regular 60-second callback to a rare destination stands out. Step five the detection is mapped to a MITRE ATT&CK tactic and technique and an alert is raised for an analyst. Amber marks the detection and decision points; lime marks the key insight that encrypted traffic is still judged by its shape. From packets to a named attacker move — the NDR detection pipeline 1 · CollectTAP / SPAN / flowpackets + NetFlowcopy of traffic, inline=no 2 · Metadatatiming · bytes · portsJA3 / JA4 · cert · SNIDNS query shape 3 · Baseline (ML)14-day learn periodnormal per host/rolepeer-group clustering 4 · Scoredeviation vs baseline+ known signaturesrare dst + periodicity 5 · Map + alertMITRE ATT&CKT1071 C2 / T1048to analyst queue The trick with encryption: NDR judges the shape, not the contentsA TLS session is opaque, but its JA3/JA4 fingerprint, packet sizes, timing and certificate are not — malware's TLS stackoften fingerprints differently from a real browser, so you flag C2 without ever decrypting a byte. Behaviours signatures miss• beaconing — same gap every N seconds• lateral movement — host talks to new peers• exfil — small in, huge out · DNS tunnelling Why ML, not just rules• "new" is relative to THIS host's history• no signature exists for a 0-day tool• shape + peer-group beats byte-matching attacker / untrustedinspected / trusteddetection / decisionkey insightbenign / allowed
Follow the pipeline 1→5: collect a copy of traffic, extract metadata (incl. JA3/JA4), learn a baseline, score deviation against baseline + signatures, then label it with a MITRE ATT&CK technique and alert. The green banner is the key idea — encrypted traffic is judged by its shape.

NDR vs IDS/IPS — the distinction interviewers love

Students mix these up constantly. An IDS/IPS is mostly signature-driven and acts per packet or session: an IPS sits inline in the data path and can block, which is powerful but means it must be fast and can become a bottleneck. NDR is behavioural and lives out-of-band on a tap; it does not block by itself — its job is detect → investigate → hunt, and it triggers response by handing off to other controls. Pithy version: IPS is the lock on the door; NDR is the CCTV that watches the corridors. They complement each other; NDR does not replace the firewall.

Figure 3 — IPS sits in the road and blocks known cars; NDR watches the whole city from cameras and spots the getaway pattern
IPS sits in the road and blocks known cars; NDR watches the whole city from cameras and spots the getaway pattern A two-column comparison. The left column is IDS and IPS: it is inline or on a tap, matches mostly signatures, blocks or alerts on a single packet or session, sees the link it sits on, and has low latency tolerance because it is in the data path. The right column is NDR: it is always out-of-band on a tap or SPAN, uses behavioural baselining and machine learning over metadata, investigates and hunts rather than blocking by itself, sees east-west and north-south across many segments, and triggers response by integrating with a firewall, NAC or SOAR. Red highlights the blocking-but-blind nature of pure prevention; green highlights the broad detect-and-investigate value of NDR. IDS / IPS vs NDR — block-the-packet vs understand-the-behaviour IDS / IPS (signature, inline) ▸ Inline (IPS) or on a tap (IDS) ▸ Matches mostly known signatures / rules ▸ Acts per packet / per session — block or alert ▸ Sees only the link it sits on ▸ In the data path → must be fast, can drop ▸ Blind to never-seen tools + slow beacons Strength: stops the known fastGap: no memory of "normal", no east-west,a 0-day with no signature walks straight in NDR (behavioural, out-of-band) ▸ Always out-of-band — TAP / SPAN / flow ▸ ML baselining + metadata, not just rules ▸ Detect → investigate → hunt (not auto-block) ▸ Sees east-west AND north-south, many segments ▸ Out of path → can't be a bottleneck or drop ▸ Catches beaconing, lateral move, exfil, DNS tunnel Strength: spots the in-progress breachResponse: feeds firewall / NAC / SOAR toquarantine — they complement, not replace Rule of thumb: IPS is the lock on the door; NDR is the CCTV that watches the corridors attacker / untrustedinspected / trusteddetection / decisionkey insightbenign / allowed
Side-by-side: left (red) is signature-based, inline, single-link, blocks-the-packet IDS/IPS; right (green) is behavioural, out-of-band, multi-segment, detect-and-investigate NDR. The bottom line: lock vs CCTV — you want both.
Zeek conn.log + JA3 — the metadata NDR reasons over (no decryption)
# A Zeek sensor writes connection metadata; this is one TLS session to a C2
$ cat conn.log ssl.log | zeek-cut id.orig_h id.resp_h resp_bytes orig_bytes ja3 server_name
# fields: client  server  bytes_in  bytes_out  ja3_hash  sni
Expected output
10.20.4.17   203.0.113.45   612      48211    e7d705a3286e19ea42f587b344ee6865   cdn-update.example-sync.top
10.20.4.17   203.0.113.45   598      47980    e7d705a3286e19ea42f587b344ee6865   cdn-update.example-sync.top
# NOTE: same JA3 as known Cobalt Strike default; tiny in / huge out; rare TLD .top
Common mistake — "NDR needs to decrypt TLS to find C2"

Symptom: a junior analyst dismisses an HTTPS C2 alert with "we can't see inside TLS, so we can't be sure." Wrong premise. NDR didn't read the payload — it matched the JA3/JA4 fingerprint to a known malware TLS stack, saw the connection had a tiny request / large response pattern at a regular interval to a newly-registered domain on a .top TLD. Those are all handshake/metadata features that survive encryption. The fix: investigate the host (pivot to EDR), don't wait for plaintext you'll never get.

Quick check · Q2 of 10

Priya at HCL sees an NDR alert tagged 'T1071 — Application Layer Protocol (C2)' on an HTTPS session it never decrypted. Which combination most likely raised it?

Correct: b. NDR judged the encrypted session by its shape: the JA3/JA4 TLS fingerprint matched a known-bad stack, the connection beaconed at a regular interval, and the destination was rare/new — all without decrypting. It did not read plaintext (the whole point of ETA); an allow-list entry wouldn't raise C2; and failed password attempts are an auth/host event, not a network-C2 signal.

Pause & Predict

Predict: why does an NDR cluster hosts into 'peer groups' before deciding something is abnormal, instead of comparing every host to one network-wide normal? Type your guess.

Answer: Because 'normal' depends on the host's role. A backup server legitimately makes huge, repetitive, scheduled transfers; if you compared it to a receptionist's PC, you'd alarm on every nightly backup. By learning a baseline per peer group (all backup servers together, all dev laptops together), NDR judges each host against machines that do the same job — so a real anomaly (a receptionist PC suddenly transferring gigabytes at 3 a.m.) pops out, while routine role-appropriate behaviour stays quiet. It's how you keep false positives down.

③ NDR in the SOC — the visibility triad & response

NDR is not a lone tool; it's one leg of the SOC visibility triad. EDR sees what happens on a host (processes, files, the actual malware binary). NDR sees what happens between hosts (the connections, the beacon, the lateral move) — and it needs no agent, so it covers IoT, printers, OT and BYOD that EDR can't reach. SIEM collects the logs from everything and correlates. An attacker might evade one, but evading all three at once is very hard.

Walk a real flow. NDR raises the beacon alert on host 10.20.4.17 (the network signal). The analyst pivots to EDR on that host and finds the malicious process and parent (the endpoint signal). They pivot to SIEM and pull that user's AD authentication logs and the DC events around the same time (the log signal). Three sources, one story: phished user → foothold → beacon → attempted lateral move. That's the triad doing its job.

👉 So far: NDR is the network leg of the EDR + NDR + SIEM triad, and analysts pivot across all three. Next: how an NDR alert turns into investigation, hunting, and an actual response.

An NDR alert feeds two workflows. First, investigation: the alert arrives with context (the hosts, the ATT&CK technique, the supporting flows) so the analyst can triage fast. Second, threat hunting: even with no alert, a hunter uses NDR's searchable metadata to proactively look for weak signals — "show me every internal host with a perfectly regular outbound connection to a rare destination" — that no single rule fired on.

Then comes Response — the R in NDR. Because NDR is out-of-band, it usually doesn't block traffic itself; instead it orchestrates other controls. It can push a block of the C2 IP/domain to the firewall, tell NAC to drop the infected host into a quarantine VLAN, or fire a SOAR playbook that isolates the host via EDR, opens a ticket and notifies the on-call. Detection without response is just a louder alarm; the integrations are what make it matter.

▶ Watch one beacon alert travel through the SOC

An attacker's implant on a Wipro user's PC starts calling home. Follow the signal from the wire all the way to a quarantined host, step by step. Press Play for the healthy path, then Break it to see the failure.

① On the wire10.20.4.17203.0.113.45:443 every 60s; NDR sensor sees the copy via SPAN
② NDR scores itdeviation: rare dst + regular periodicity + malware JA3 → alert T1071 C2
③ Triad pivotanalyst pivots: EDR finds the process, SIEM shows the user's AD logins
④ RespondSOAR fires: NAC drops 10.20.4.17 to quarantine VLAN; firewall blocks 203.0.113.45
Press Play to step through the healthy path. Then press Break it.
Prove the triad actually closed the loop, not just alerted

An NDR alert alone proves detection. To prove response worked, verify three things after containment: (1) the C2 connection from 10.20.4.17 no longer appears in new NDR flows; (2) EDR shows the malicious process killed and the host isolated; (3) the firewall/NAC change is live — the host is in the quarantine VLAN and the C2 IP/domain is blocked. If the beacon stops in the NDR flow data, you've closed the loop; if it merely changed destination, you missed a second channel — keep hunting.

Karthik at Flipkart faces this

Karthik, an L2 analyst, gets an NDR alert: an internal host (10.20.7.22) is making SMB connections to a dozen servers it has never spoken to before, within two minutes.

Likely cause

This is classic lateral movement (ATT&CK T1021 / T1046). A compromised host is sweeping the internal network for shares and remote-service entry points. The perimeter firewall never saw it — it's all east-west traffic the NDR core-switch SPAN picked up.

Diagnosis

He confirms it's behaviour, not a backup job, by checking the baseline: this host's peer group (normal user PCs) never fan out to many servers at once, and there's no scheduled-task or backup tag on the destinations.

NDR console → Detections → Host 10.20.7.22 → Connections → group by dst, sort by 'first-seen' + check peer-group baseline
Fix

He fires the SOAR playbook: NAC moves 10.20.7.22 to the quarantine VLAN, EDR isolates and pulls the process tree, and SIEM is queried for the user's logins to scope the blast radius.

Verify

Re-query NDR flows for 10.20.7.22 → no new east-west SMB connections; EDR confirms host isolated; the fan-out pattern stops. Then hunt for the same JA3/beacon on other hosts to be sure it's contained.

Quick check · Q3 of 10

Meera is asked in an interview: "Why pair NDR with EDR instead of just buying more EDR licences?" Best answer?

Correct: c. EDR is agent-based, so anything you can't install an agent on — IoT, printers, OT, contractor BYOD — is a blind spot; NDR covers those by watching their traffic, and it sees host-to-host (east-west) activity EDR on one box can't. NDR doesn't run on or block the endpoint (that's EDR's job), and the two are complementary, not duplicate — that's the whole point of the triad.

Pause & Predict

Predict: an NDR detects a clear C2 beacon and is configured to auto-quarantine the host via NAC. Why might a mature SOC still NOT enable fully automatic blocking for every detection? Type your guess.

Answer: Because a false positive that auto-quarantines a critical system (a payment gateway, a hospital server) can cause an outage worse than the threat. Mature SOCs reserve automatic response for high-confidence, low-risk detections and route the rest to a human for a quick approve/deny — often a SOAR playbook that enriches the alert first. The art of running NDR is tuning that confidence threshold so automation contains real threats without taking down the business on a noisy alert.

④ Running NDR — sensors, tuning & a worked beacon hunt

Detection quality starts at sensor placement: NDR can only see the traffic you feed it. The classic mistake is tapping only the internet edge — that gives you north-south but leaves the entire internal network (where lateral movement lives) dark. The fix is to also SPAN the core switch and inter-VLAN boundaries so you capture east-west. A real-world caveat: under heavy load a SPAN port can be oversubscribed and silently drop mirror packets, so for high-throughput links a hardware TAP is more reliable than a SPAN.

🖥️ Where you scope what the sensor sees — NDR console → Sensors → Add Sensor → Monitoring Interface. (Recreated for clarity — your console matches this layout.)
ndr.soc.local · Sensors → Add Sensor
1
Sensor name
core-span-mumbai-dc
2
Capture source
SPAN (core switch) / TAP
3
Monitor interface
eth1 (mirror) — promiscuous
Traffic scope
east-west (VLAN 20,30) + north-south
Baseline window
14 days (learning)
4
Drop monitoring
alert if SPAN drops > 1%
Save & start learning

Next, baselining. The model needs roughly two weeks of clean traffic with stable host roles to learn what normal is; if you onboard a sensor in the middle of a big migration, it bakes the chaos into 'normal'. And after a major change — a new app, a VLAN re-design, a merger — you re-learn, or the baseline lies to you.

Then the daily grind: tuning false positives. The biggest noise sources are legitimately periodic traffic that looks exactly like beaconing — backup jobs, patch/AV agents phoning home, NMS pollers, vulnerability scanners, SaaS sync clients, CDN connections. The fix isn't to lower sensitivity globally (you'll miss real beacons); it's to allowlist the known-good by destination, JA3 or host-role so the genuine anomalies stay loud.

👉 So far: place sensors for east-west, baseline on clean traffic, and tune out periodic false positives. Now the payoff — a worked hunt for a real beacon.

A worked hunt — finding a beacon by flow periodicity

A beacon betrays itself by periodicity: a human browses irregularly, but malware checks in like clockwork. Aditya, hunting at Airtel, pulls connection records and computes, per source→destination pair, the time gaps between connections. A pair whose gaps are tightly clustered around (say) 60 seconds with low jitter, to a rare external destination, is a prime beacon suspect.

Beacon hunt — flag source/dest pairs with regular timing (RITA-style analysis over Zeek conn.log)
# Score each host-pair on how regular its connection timing is
$ rita show-beacons soc-mumbai | head -6
# (or: zeek-cut ts id.orig_h id.resp_h < conn.log | beacon-analyze)
Expected output
SCORE   SOURCE        DESTINATION      CONNS  AVG_GAP  JITTER  DST_PORT
0.971   10.20.4.17    203.0.113.45     1422   60.04s   0.21s   443/tcp
0.118   10.20.9.3     10.20.1.10       88     varies   high    445/tcp
# top row: 1422 check-ins, ~60s apart, near-zero jitter = textbook C2 beacon
Common mistake — auto-flagging the top beacon score as malicious

Symptom: the hunt's #1 'beacon' (score 0.95+, perfectly regular) turns out to be the corporate backup agent hitting a cloud bucket every minute, or the AV client polling for updates. A perfect rhythm is necessary but not sufficient. Before you escalate, check: is the destination a known-good service (cloud, CDN, your own update server)? Is the source's role expected to do this (a backup server vs a receptionist PC)? Allowlist the legitimate periodic talkers by destination/JA3 so the real C2 — to a rare, newly-registered domain — isn't buried under your own infrastructure.

Before / after, in one line. Before NDR: the implant on 10.20.4.17 beacons every 60s over HTTPS/443 to 203.0.113.45 — to the firewall it's just 'allowed outbound web', completely hidden. After NDR: the same flow is flagged because its periodicity (1422 check-ins, ~60s, near-zero jitter), its byte ratio (tiny in, large out), its JA3 (known malware stack) and its rare new destination all break the host's baseline — and it's labelled T1071 for the analyst. Same packets, a completely different outcome, because NDR read the metadata the firewall ignored.

Figure 4 — NDR on one card — detections by ATT&CK tactic, the visibility triad, sensor placement and the first hunts
NDR on one card — detections by ATT&CK tactic, the visibility triad, sensor placement and the first hunts A nine-tile cheat sheet. Tiles cover the visibility triad of EDR plus NDR plus SIEM, NDR detections mapped to MITRE ATT&CK tactics, what a beacon looks like, encrypted-traffic clues, sensor placement, what baselining needs, common false-positive sources, response actions, and the first hunts to run. Each tile has a short practical line. NDR — your one-glance card Visibility triadEDR = endpoint · NDR = networkSIEM = logs · correlate all 3attacker can't hide from all three Detections → ATT&CKbeacon → T1071 C2lateral → T1021 remote svcDNS tunnel → T1048 exfilrecon → T1046 net scan What a beacon isregular check-in: same gap,small bytes, rare destinationlow jitter = machine, not human Encrypted-traffic cluesJA3 / JA4 TLS fingerprintcert age / self-signed / SNIno decryption needed Sensor placementcore switch SPAN = east-westinternet edge tap = north-southtap > SPAN under load Baseline needs~14 days of clean trafficstable host roles / VLANsre-learn after big changes False-positive sourcesbackups / patch agents (periodic)NMS pollers, vuln scannersSaaS sync, CDN — allowlist them Response actionsNAC / 802.1X → quarantine VLANfirewall block to C2 IP/domainSOAR playbook → isolate via EDR First huntsbeacons: connection periodicitylong conns / high out-bytesDNS: long/odd qnames, high vol attacker / untrustedinspected / trusteddetection / decisionkey insightbenign / allowed
Your one-card map of the whole lesson: the EDR/NDR/SIEM triad, NDR detections mapped to ATT&CK tactics, what a beacon and an encrypted-C2 clue look like, sensor placement, baselining needs, false-positive sources, response actions, and the first hunts to run. Screenshot it before any SOC interview.

For your certification path, this lesson sits right in the blue-team / detection blueprint. GCIA (GIAC Certified Intrusion Analyst) and SANS SEC503 are built on exactly this — network traffic analysis, sensor placement, IDS/NDR tuning with tools like Zeek and Suricata, and reading flows to spot intrusions. Security+ covers the concepts in its monitoring/detection and architecture domains (NDR vs IDS/IPS, the visibility triad, indicators of compromise). Nail this lesson and you can answer the two questions that come up in every SOC interview: "how do you find a beacon you have no signature for?" and "why isn't a firewall enough?"

Related: CASB Explained
Quick check · Q4 of 10

An interviewer asks Neha: "You've onboarded an NDR sensor at a Zomato data centre but it only mirrors the internet-edge link. What's the biggest blind spot, and what's the single best fix?"

Correct: b. An internet-edge-only sensor sees north-south but is blind to server-to-server (east-west) traffic, which is exactly where lateral movement and internal recon happen; the fix is to mirror the core switch / inter-VLAN boundaries (a TAP is steadier than SPAN under load). Decryption everywhere is costly and not the gap here; a one-day baseline is too short to learn normal; and disabling DNS logging removes a key tunnelling signal.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Network Security docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

In the SOC visibility triad, which tool's specific job is to watch the network traffic BETWEEN internal hosts (east-west) to catch lateral movement and beaconing?

Correct: c. NDR is the network leg of the triad — it watches a copy of traffic between hosts (east-west) and to the internet (north-south) to detect behaviour like beaconing and lateral movement. SIEM correlates logs, EDR watches the endpoint (needs an agent), and the perimeter firewall mostly sees north-south signature matches, not internal behaviour.
Q6 · Apply

An NDR alerts on an HTTPS session it never decrypted: regular 60-second timing, tiny request / large response, and a JA3 matching a known malware stack, to a newly-registered domain. Which MITRE ATT&CK tactic best fits?

Correct: a. Regular timing to a rare destination with a malware JA3 is the textbook profile of C2 beaconing, mapped to the Command-and-Control tactic (T1071, application-layer protocol). Initial Access is the earlier foothold step; Impact is destruction/ransomware; Reconnaissance is scanning — none match a periodic call-home.
Q7 · Apply

You're onboarding an NDR and want it to detect lateral movement inside a Mumbai data centre. Where must you place/mirror the sensor?

Correct: d. Lateral movement is east-west (server-to-server) traffic, so the sensor must see the core switch and inter-VLAN boundaries via SPAN or a TAP. An internet-edge-only tap sees north-south and misses internal movement; the analyst's laptop and the firewall management interface carry none of the relevant data-centre traffic.
Q8 · Analyze

A beacon hunt's #1 result (score 0.97, near-zero jitter, every 60s) turns out to be the corporate backup agent hitting a cloud bucket. What does this tell you about tuning, and what's the right next step?

Correct: a. Legitimate periodic traffic (backups, AV, NMS) mimics beaconing, so a high regularity score alone isn't malicious — you must check destination and host-role, then allowlist the known-good so genuine anomalies stay loud. Lowering global sensitivity or disabling detection would hide real beacons; decrypting the backup proves nothing about beaconing and is wasted effort.
Q9 · Analyze

An NDR flags an internal host suddenly making SMB connections to a dozen servers it never spoke to before, within two minutes. The perimeter firewall logged nothing for it. Why did the firewall miss it, and what is the host most likely doing?

Correct: d. Server-to-server SMB inside the data centre is east-west traffic that never reaches the perimeter firewall, so prevention is structurally blind to it; a host fanning out to many new peers on SMB is classic lateral movement / network service discovery (T1021/T1046). The firewall being offline or 'ignoring SMB' isn't the reason, and a sudden never-before fan-out to a dozen hosts is a real behavioural anomaly, not noise.
Q10 · Evaluate

Two ways to justify NDR to a budget-holder: (A) "it's another box that blocks bad traffic like our firewall, just better"; (B) "prevention only sees the perimeter and known signatures, so once an attacker is inside, NDR is what watches east-west behaviour, finds the no-signature beacon/lateral-move, and feeds containment." Which is stronger and why?

Correct: b. B is accurate and architecture-grounded: it explains the structural blind spot of prevention (perimeter-only, signature-based) and positions NDR as out-of-band behavioural detection + response for the inside, which is what it actually does. A mis-describes NDR as an inline blocker/'better firewall' — it isn't; it complements the firewall rather than replacing it, so A would set wrong expectations.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line, how can NDR flag a malware C2 channel that is fully encrypted with TLS, without decrypting any of it? Then compare to the expert version.

Expert version: It reads the session's metadata — the JA3/JA4 TLS fingerprint (often distinct for malware), the certificate/SNI, the packet sizes and the regular beacon timing to a rare destination — all of which survive encryption, so the behaviour gives the C2 away even though the payload stays opaque.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

NDR (Network Detection and Response)
An out-of-band tool that watches a copy of network traffic to detect attacker behaviour, investigate, and trigger response. Behavioural, not a blocking device.
East-west traffic
Traffic between internal systems (server-to-server, PC-to-server). Usually never crosses the perimeter firewall — where lateral movement hides.
North-south traffic
Traffic between your network and the outside world (internet/cloud) — it crosses the perimeter, so prevention can see it.
Beaconing
A malware implant's regular, automated check-in to its C2 server. The tell is the rhythm: a consistent interval with low jitter to a rare destination.
Lateral movement
An attacker pivoting from the first foothold host to other internal systems (SMB, RDP). Shows up as a host talking to new peers it never used before.
DNS tunnelling
Smuggling data inside DNS queries to a single domain. Spotted by long, high-entropy query names at high volume.
JA3 / JA4
Hashes of a TLS Client Hello (cipher list, extensions, curves). Malware's TLS stack often fingerprints differently from real browsers — a C2 tell without decryption.
Encrypted-traffic analysis (ETA)
Judging an encrypted session by observable features (handshake, sizes, timing, certificate, SNI) instead of decrypting the payload.
Baseline
A learned model of normal traffic per host and per role, built over a learning window (~14 days). Deviation from it is what NDR scores.
MITRE ATT&CK
A public catalogue of attacker tactics and techniques (e.g. T1071 C2, T1046 discovery, T1048 exfiltration). NDR labels detections with these IDs.
Visibility triad
The SOC's three complementary sources: EDR (endpoint), NDR (network), SIEM (logs). Together they leave the attacker nowhere to hide.
TAP / SPAN
Ways to feed an NDR a copy of traffic: a hardware TAP (passive, reliable) or a switch SPAN/mirror port (convenient, can drop packets under load).

📚 Sources

  1. Vectra AI Learning Centre — "NDR explained: how network detection and response works" + "Network visibility: blind spots & NDR" (east-west vs north-south, behavioural detection of lateral movement / C2 / exfil, MITRE ATT&CK mapping). vectra.ai/topics/network-detection-and-response · vectra.ai/topics/network-visibility · vectra.ai/topics/mitre-attack
  2. ExtraHop — "What Is C2 Beaconing? Definition & Prevention" + Palo Alto Networks Cyberpedia "What is DNS Tunneling?" (beacon periodicity as the C2 tell; DNS-tunnelling query-shape indicators). extrahop.com/resources/attacks/c-c-beaconing · paloaltonetworks.com/cyberpedia/what-is-dns-tunneling
  3. Trellix / Vehere glossaries — "Why Is Encrypted Traffic Analysis Key to NDR?" + "What is JA4 and JA4S Fingerprinting" (JA3/JA4 TLS fingerprinting, ETA without decryption; >85% of attack traffic uses encryption). trellix.com/security-awareness/network/why-is-encrypted-traffic-analysis-key-to-ndr/ · vehere.com/glossary/what-is-ja4-and-ja4s-fingerprinting/
  4. The Zeek Project — "Zeek Sensor Placement in Practice: Tapping What You Actually Understand" (Jun 2026) + Active Countermeasures "Where Do I Put My Zeek Sensor?" + Book of Zeek "Monitoring With Zeek" (tap/SPAN placement, east-west capture, RITA beacon analysis over conn.log). zeek.org/2026/06/zeek-sensor-placement-in-practice-tapping-what-you-actually-understand/ · activecountermeasures.com/where-do-i-put-my-zeek-sensor/ · docs.zeek.org/en/lts/monitoring.html
  5. Corelight — "False Positives in Cybersecurity" + "Reducing IDS false positives" (periodic backup/NMS/scanner traffic as the top false-positive source; allowlist-by-known-good tuning rather than lowering sensitivity). corelight.com/resources/glossary/false-positives-cybersecurity · corelight.com/resources/glossary/ids-false-positives
  6. GIAC GCIA exam page + SANS SEC503 "Network Monitoring and Threat Detection In-Depth" (network traffic analysis, sensor placement, Zeek/Suricata tuning, IOC extraction — the blue-team/GCIA blueprint this lesson maps to; Security+ monitoring & architecture domains). giac.org/certifications/certified-intrusion-analyst-gcia · sans.org/cyber-security-courses/network-monitoring-threat-detection

What's next?

You can now spot the attacker moving inside the network. But how did they get the keys in the first place? Next we drop into the cloud and lock down identity — least-privilege IAM, where most cloud breaches actually begin.

Next · AWS IAM Security: Least Privilege Done Right → Practice on exam.techclick.in →