That Network Traffic Looks Legit, But it Could be Hiding a Serious Threat

That Network Traffic Looks Legit, But it Could be Hiding a Serious Threat

With nearly 80% of cyber threats now mimicking legitimate user behavior, how are top SOCs determining what's legitimate traffic and what is potentially dangerous?

Where do you turn when firewalls and endpoint detection and response (EDR) fall short at detecting the most important threats to your organization? Breaches at edge devices and VPN gateways have risen from 3% to 22%, according to Verizon's latest Data Breach Investigations report. EDR solutions are struggling to catch zero-day exploits, living-off-the-land techniques, and malware-free attacks. Nearly 80% of detected threats use malware-free techniques that mimic normal user behavior, as highlighted in CrowdStrike's 2025 Global Threat Report. The stark reality is that conventional detection methods are no longer sufficient as threat actors adapt their strategies, using clever techniques like credential theft or DLL hijacking to avoid discovery.

In response, security operations centers (SOCs) are turning to a multi-layered detection approach that uses network data to expose activity adversaries can't conceal.

Technologies like network detection and response (NDR) are being adopted to provide visibility that complements EDR by exposing behaviors that are more likely to be missed by endpoint-based solutions. Unlike EDR, NDR operates without agent deployment, so it effectively identifies threats that use common techniques and legitimate tools maliciously. The bottom line is evasive techniques that work against edge devices and EDR are less likely to succeed when NDR is also on the lookout.

Layering up: The faster threat detection strategy

Much like layering for unpredictable weather, elite SOCs boost resilience through a multi-layered detection strategy centered on network insights. By consolidating detections into a single system, NDR streamlines management and empowers teams to focus on high-priority risks and use cases.

Teams can adapt quickly to evolving attack conditions, detect threats faster, and minimize damage. Now, let's gear up and take a closer look at the layers that make up this dynamic stack:

THE BASE LAYER

Lightweight and quick to apply, these easily catch known threats to form the basis for defense:

• Signature-based network detection serves as the first layer of protection due to its lightweight nature and quick response times. Industry-leading signatures, such as those from Proofpoint ET Pro running on Suricata engines, can rapidly identify known threats and attack patterns.
• Threat intelligence, often composed of indicators of compromise (IOCs), looks for known network entities (e.g., IP addresses, domain names, hashes) observed in actual attacks. As with signatures, IOCs are easy to share, light-weight, and quick to deploy, offering quicker detection.

THE MALWARE LAYER

Think of malware detection as a waterproof barrier, protecting against "drops" of malware payloads by identifying malware families. Detections such as YARA rules — a standard for static file analysis in the malware analysis community — can identify malware families sharing common code structures. It's crucial for detecting polymorphic malware that alters its signature while retaining core behavioral characteristics.

THE ADAPTIVE LAYER

Built to weather evolving conditions, the most sophisticated layers use behavioral detection and machine learning algorithms that identify known, unknown, and evasive threats:

• Behavioral detection identifies dangerous activities like domain generation algorithms (DGAs), command and control communications, and unusual data exfiltration patterns. It remains effective even when attackers change their IOCs (or even components of the attack), since the underlying behaviors don't change, enabling quicker detection of unknown threats.
• ML models, both supervised and unsupervised, can detect both known attack patterns and anomalous behaviors that might indicate novel threats. They can target attacks that span greater lengths of time and complexity than behavioral detections.
• Anomaly detection uses unsupervised machine learning to spot deviations from baseline network behavior. This alerts SOCs to anomalies like unexpected services, unusual client software, suspicious logins, and malicious management traffic. It helps organizations uncover threats hiding in normal network activity and minimize attacker dwell time.

THE QUERY LAYER

Finally, in some situations, there is simply no faster way to generate an alert than to query the existing network data. Search-based detection — log search queries that generate alerts and detections — functions like a snap-on layer that's at the ready for short-term, rapid response.

Unifying threat detection layers with NDR

The true strength in multi-layered detections is how they work together. Top SOCs are deploying Network Detection and Response (NDR) to provide a unified view of threats across the network. NDR correlates detections from multiple engines to deliver a complete threat view, centralized network visibility, and the context that powers real-time incident response.

Beyond layered detections, advanced NDR solutions can also offer several key advantages that enhance overall threat response capabilities:

• Detecting emerging attack vectors and novel techniques that haven't yet been incorporated into traditional EDR signature-based detection systems.
• Reducing false positive rates by ~25%, according to a 2022 FireEye report
• Cutting incident response times with AI-driven triage and automated workflows
• Comprehensive coverage of MITRE ATT&CK network-based tools, techniques and procedures (TTPs)
• Leveraging shared intelligence and community-driven detections (open-source solutions)

The path forward for modern SOCs

The combination of increasingly sophisticated attacks, expanding attack surfaces, and added resource constraints requires a shift toward multi-layered detection strategies. In an environment where attacks succeed in seconds, the window for maintaining effective cybersecurity without an NDR solution is rapidly closing. Elite SOC teams get this and have already layered up. The question isn't whether to implement multi-layered detection, it's how quickly organizations can make this transition.

Corelight Network Detection and Response

Corelight's integrated Open NDR Platform combines all seven of the network detection types mentioned above and is built on a foundation of open-source software like Zeek®, allowing you to tap into the power of community-driven detection intelligence. For more information: Corelight.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post.