SE Labs

Special Edition
Computer security testing comment and analysis from SE Labs

NDR – Now Done Realistically

SE Labs launches first public Network Detection and Response test

Network Detection and Response

SE Labs tested VMware NSX Network Detection and Response against a range of hacking attacks designed to compromise systems and penetrate target networks in the same way as criminals and other attackers breach systems and networks.

Full attack chain test in the datacentre

By running the most realistic set of attacks possible we put NDR products to a significant challenge. Can they detect real attacks in real-time, often using unique scripts and malware? If you want to know more about advanced persistent threats on the network please read past the initial graphs in this report and dig into the detail.

Download the report now! (free – no registration)

Full chains of attack were used, meaning that testers behaved as real attackers, probing targets using a variety of tools, techniques and vectors before attempting to gain lower-level and more powerful access. Finally, the testers/attackers attempted to complete their missions, which might include stealing information, damaging systems and connecting to other systems on the network.

Network Detection and Response security testing

Annual Report 2020

Network Detection and Response products are designed to recognise attacks as they pass through one or more networks. In other words, they are like CCTV systems monitoring the flow of information running through an organisation, data centre or other infrastructure.

There are a few different ways to test NDR solutions, many of which are so synthetic as to be misleading. You could run a tool that pushes network packets containing elements of an attack, for example. This might trigger a detection by the NDR sensors. Or it might not. It depends how those sensors are designed.

Only a real attack looks like a real attack

A very accurate sensor might not generate an alert when analysing such ‘fake’ test traffic. Ideally it would only alert on a real attack so that the team in the Security Operations Centre (SOC) focuses on significant events only. Parts of an exploit, malware or suspicious login are not a threat. Only a real attack looks like a real attack.

A basic sensor might report problems with every packet that appears to be bad without looking at the context. For example, if a user logs into a system that they use regularly, an unsophisticated system might register that as a problem. A more intelligent one would recognise that all is well and hold back the alert. But it might sound the alarm if the same user logs in from an unusual part of the network. This could be a sign of an attacker moving between systems and using stolen login credentials.

In our tests we make no assumptions about how security products work and run full attacks, from the very first stages through to completing the final ‘mission’, which might be data damage, theft or the creation of a persistent presence.

MITRE ATT&CK-compatible

We replicate the behaviours of real-world attackers and use the MITRE ATT&CK framework to map out the attack chains used in every test case.

Full attack chains, clearly illustrated

We also perform benign activities to ensure that the product we are testing isn’t just alerting without discrimination.

By running the most realistic set of attacks possible we put NDR products to a significant challenge. Can they detect real attacks in real-time, often using unique scripts and malware? If you want to know more about advanced persistent threats on the network please read past the initial graphs in this report and dig into the detail.

Find out more

Our latest reports, for enterprise, small business and home users are now available for free. Please download them and follow us on Twitter and/or LinkedIn to receive news, comment, updates and future reports.

Sign up to our monthly business and personal security newsletters.

See all blog posts relating to test results.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press