Primer Series: NAPP - Network Detection and Response (NDR)
Introduction
NDR is able to analyze monitored traffic flows to detect (through the use of detectors), map and defend against abnormal network activity or malicious events by leveraging VMware's NSX Advanced Threat Prevention (ATP) cloud service. Flagged network traffic flows determined to require further analysis are forwarded to VMware's ATP cloud service to be checked against known attacks to mitigate false positives. Further, additional context is provided by correlating events determined to be related and categorizing these attacks within campaigns. Campaigns are further organized into a timeline, providing enhanced visibility for security engineers to view and take action.
Prerequisites
NDR requires NSX-T Data Center version 3.2.0 or higher, as well as NSX Application Platform (NAPP). To see deployment requirements of NAPP please refer to the first article in this Primer Series on NAPP here.
NAPP features are available based on your licensing level. The NSX NDR application requirements are as follows:
License Requirements
- NSX Data Center Evaluation
- NSX-T Evaluation
- NSX Advanced Threat Prevention (Only applicable for customers who have previously purchased the license)
- NSX Advanced Threat Prevention add on for NSX Distributed Firewall with Threat Prevention
- NSX Advanced Threat Prevention add on for NSX Distributed Firewall or NSX Advanced or NSX Enterprise Plus
- NSX Distributed Firewall with Advanced Threat Prevention
- NSX Gateway Firewall with Advanced Threat Prevention
- NSX Advanced Threat Prevention add on for NSX Gateway Firewall
- NSX-T Advanced with NSX Advanced Threat Prevention add on for NSX Distributed Firewall or NSX Advanced or NSX Enterprise Plus
- NSX-T Enterprise Plus with NSX Advanced Threat Prevention add on for NSX Distributed Firewall or NSX Advanced or NSX Enterprise Plus
- External Network Connectivity
In addition, NDR requires outbound TCP port 443 to allow HTTPS connections to VMware's NSX Advanced Threat Prevention cloud service.
💡 Note: The NSX NDR application can function as designed only when your NSX-T Data Center is connected to the internet
Once NAPP is deployed, the tile for enabling the NDR feature will appear at the bottom of the NSX Application Platform page under 'Features' by navigating to System > NSX Application Platfrom
from within the NSX-T Manager web UI.
Dashboard UI
The NDR user interface is accessible via the NSX-T manager web UI by clicking on the application launcher icon in the top right corner of any page. The NDR landing page is the Dashboard pane. Here, security engineers can get a snapshot of the threat landscape within their NSX-T Data Center environment. The dashboard pane is subdivided into tiles. Each tile provides a high level overview of a piece of the total threat landscape within the data center. At the top of the dashboard view is the 'Active campaigns in my network' tile which provides a high level overview of what is contained within the 'Campaigns' tab on the left. Next, is the 'Network and security summary' and 'Detected threats' tiles where security engineers are able to get an aggregated count of detected security events, events determined to be threats, and number of campaigns generated from identified threats. In addition, the top ten observed threats based on impact score and occurrence can be viewed. Moving down the dashboard pane, the next tile is the 'Global event map' where security engineers can get a snapshot view of where attacks are originating geographically. Attack markers are colorized based on the attack impact score. Moving down the dashboard page is the 'New unique detections' tile where detection events seen for the first time within your data center environment are populated. Events are organized in chronological order and each event is clickable for more detail as needed. At the bottom of the dashboard pane is the 'Downloaded files list' tile. Data populated within this tile are pulled from the 'Files downloaded' tab on the left.
The Dashboard page provides a high-level overview that strikes a balance between summary and detail. Next, we will take a closer look at the capabilities delivered through the NDR application.
Campaigns
The Campaigns pane displays all campaigns detected within the NSX-T Data Center environment. Individual campaigns are displayed as a card. Each campaign card highlights the calculated threat score, name (Campaign ID), and the latest attack stage within the MITRE ATT&CK framework detected by the NDR application. Also displayed are the number of affected hosts, number of different threats and the current status of the campaign.
Campaign Statuses:
- Open
- In Progress
- Done
- Updated
Just below the campaign cards is a card titled "You might also want to investigate…". This card is there to alert users of other threats detected within the data center that were not able to be directly correlated into a new or existing campaign listed in the above cards.
Campaign details can be viewed by clicking on the respective 'Campaign ID' within each card to open a details pane divided into five tabs.
The overview tab is the default tab when opening any campaign. This tab provides a summary of the campaign by providing an aggregated view of the number of threats associated within the campaign as well as the number of affected hosts. At the bottom, users are able to visualize the attacks through a graphical UI element known as a blueprint. This blueprint looks similar to the NSX Intelligence "Discover & Take Action" feature reviewed in the NSX Intelligence article within this series.
The Hosts tab provides a list of hosts affected by the identified threats within the campaign.
The timeline tab organizes all the identified threats and affected hosts into chronological order. This campaign detail tab is a powerful way to view an attack in a logical, easy to understand order with the detail and associated evidence needed for a security engineer to stop an attack, document what happened to be able to formulate clear recommendations to prevent this type of attack from occurring again.
The campaign details History tab provides contextual history of how a campaign was formed.
The Evidence tab outlines the evidence NDR collected throughout the campaign. Evidence is summarized as tiles and each tile is expandable to view details surrounding that piece of evidence. The evidence details can contain the following information.
Evidence is collected by the NDR application for each campaign through the use of signature based detection as well as through the use of heuristics. Relevant network data is recorded as well to include source and destination IP addresses, domains, and ports. If a file which has been downloaded or transferred is flagged as suspicious, that file will be automatically uploaded to VMware's Advanced Threat cloud service and detonated inside a sandbox environment to gain and record additional data surrounding the suspicious file. Additional data Includes the task_uuid, an identifier assigned when the malicious file is detonated in VMware's sandbox, a severity score is assigned to the file and any additional, correlated data around the file such as the URL the file was downloaded from, as well as the file name and file type (exe, bin, etc.).
Each aggregated data point which makes up a campaign can be further drilled down on within the remaining tabs. From displaying all the monitored machines within the Hosts tab to viewing the specifics of a particular event or incident within their respective named tabs to viewing the details of flagged, downloaded files detonated within the cloud based sandbox.
VMware's NDR application has been built for today's and tomorrow's distributed, disparate data center environments whether deployed on-premises, in the cloud or a hybrid of the two.