NDR — Network Detection & Response
NDR — Network Detection & Response
The KYRA MDR collector agent includes built-in Network Detection and Response (NDR) capabilities. The same collector binary that handles log collection also performs deep packet inspection, flow tracking, behavioral baselining, and threat detection — no separate NDR sensor deployment required.
Architecture
Processing Pipeline
Network traffic passes through a six-stage analysis pipeline:
┌─────────┐ ┌─────────┐ ┌─────────┐ ┌──────────┐ ┌──────────┐ ┌──────┐│ Capture │───>│ Parse │───>│ Flow │───>│ Baseline │───>│ Detect │───>│ Emit ││ TAP/ │ │ L3-L7 │ │ 5-tuple │ │ rolling │ │ rule │ │alert ││ SPAN │ │ protocol│ │ bidir │ │ hourly │ │ engines │ │ ││ mirror │ │ parsers │ │ tracker │ │ stats │ │ │ │ │└─────────┘ └─────────┘ └─────────┘ └──────────┘ └──────────┘ └──────┘- Capture — Raw packets from TAP/SPAN/mirror port in promiscuous mode
- Parse — Protocol parsing for DNS, TLS, HTTP, SMB, SSH, RDP, Kerberos, DHCP
- Flow Tracking — Bidirectional flow assembly with 5-tuple identification
- Baselining — Rolling hourly statistics for behavioral anomaly detection
- Detection — Multiple detection engines including signature, behavioral, and threat intel matching
- Alert Emission — Detection alerts flow through the same collector pipeline as log events
Protocol Support
| Protocol | Analysis Capabilities |
|---|---|
| DNS | Query/response logging, DGA detection, tunneling detection, suspicious domain resolution |
| TLS/SSL | JA3/JA3S fingerprinting, certificate validation, expired/self-signed cert detection |
| HTTP | URL analysis, user-agent profiling, suspicious download detection |
| SMB | File share access monitoring, lateral movement detection |
| SSH | Session tracking, brute force detection, unusual key exchange |
| RDP | Remote access monitoring, brute force detection |
| Kerberos | Authentication monitoring, golden/silver ticket detection |
| DHCP | Device discovery, rogue DHCP detection |
Detection Capabilities
Signature-Based Detection
- Known malware communication patterns
- Command & Control (C2) beacon detection
- Exploit kit traffic identification
- Known bad IP/domain matching
Behavioral Detection
- Traffic volume anomalies (bytes, packets, connections per host)
- Unusual protocol usage (DNS over non-standard ports, encrypted traffic on unusual ports)
- Lateral movement patterns
- Data exfiltration indicators (large outbound transfers, unusual upload ratios)
- Beaconing detection (periodic outbound connections)
MITRE ATT&CK Mapping
All NDR detections are mapped to MITRE ATT&CK techniques:
| Tactic | Example Detections |
|---|---|
| Initial Access | Exploit public-facing application, phishing link click |
| Execution | Suspicious script download, malware fetch |
| Persistence | C2 beacon establishment |
| Lateral Movement | SMB/RDP pivoting, pass-the-hash |
| Exfiltration | DNS tunneling, large data transfer to external IP |
| Command & Control | Beaconing, DGA domains, encrypted C2 channels |
Deployment
Network Requirements
- TAP, SPAN, or mirror port configured on network switch
- Dedicated network interface on the collector host for traffic capture
- Minimum 1 Gbps interface (10 Gbps recommended for high-traffic environments)
Performance
| Metric | Capability |
|---|---|
| Throughput | Up to 1 Gbps sustained traffic analysis |
| Flow Tracking | 500,000+ concurrent flows |
| Memory | ~200 MB additional for NDR module |
| Latency | Sub-millisecond packet processing |
Feature Gating
NDR is an add-on capability enabled per tenant. When NDR is not enabled:
- NDR events are rejected at the ingestion layer
- NDR traffic is tracked separately and does not count against log ingestion quotas
- The collector reports NDR capability status so the platform can display appropriate configuration options