惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

云风的 BLOG
云风的 BLOG
C
Cyber Attacks, Cyber Crime and Cyber Security
Recent Announcements
Recent Announcements
爱范儿
爱范儿
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Security Latest
Security Latest
J
Java Code Geeks
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Cisco Talos Blog
Cisco Talos Blog
Apple Machine Learning Research
Apple Machine Learning Research
C
Check Point Blog
T
Threat Research - Cisco Blogs
I
Intezer
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
WordPress大学
WordPress大学
Engineering at Meta
Engineering at Meta
腾讯CDC
Google DeepMind News
Google DeepMind News
Project Zero
Project Zero
T
Tenable Blog
V
Visual Studio Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
Spread Privacy
Spread Privacy
GbyAI
GbyAI
T
Tailwind CSS Blog
P
Palo Alto Networks Blog
Microsoft Security Blog
Microsoft Security Blog
Scott Helme
Scott Helme
Hugging Face - Blog
Hugging Face - Blog
NISL@THU
NISL@THU
Blog — PlanetScale
Blog — PlanetScale
G
GRAHAM CLULEY
K
Kaspersky official blog
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
P
Proofpoint News Feed
S
SegmentFault 最新的问题
P
Proofpoint News Feed
P
Privacy & Cybersecurity Law Blog
The Hacker News
The Hacker News
博客园 - 【当耐特】
Cyberwarzone
Cyberwarzone
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
V
Vulnerabilities – Threatpost
H
Help Net Security
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Last Week in AI
Last Week in AI
博客园 - 叶小钗

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
Vectra AI
Zoey Chu · 2026-05-16 · via Vectra AI Blog

Attackers are getting better at blending in. Even highly resourced enterprises with layers of firewalls, SIEMs, and endpoint agents are still suffering major breaches. Groups like Scattered Spider, Volt Typhoon, Mango Sandstorm, and UNC3886 have proven that prevention and log-based monitoring alone are not enough. Each of these attackers slipped past defenses that were designed to keep them out. What gave them away was not a signature or an alert storm, but their behavior on the network.

This is where Network Detection and Response (NDR) proves essential. Every attacker leaves a trace in network traffic, whether through a hidden tunnel, an unusual login pattern, or a suspicious lateral move. NDR gives SOC teams the ground truth by monitoring live communications across managed, unmanaged, on-premises, and cloud systems.

I recently gave a talk at Black Hat USA 2025 on this exact topic. If you'd rather watch than read, the session recording is now available.

Let’s look at four real-world examples that show how NDR could have stopped advanced adversaries before they caused damage.

1. Scattered Spider: From SMS Phishing to Azure Cloud Pivot

Scattered Spider (UNC3944) is a financially motivated group known for using social engineering to bypass strong preventive controls. In recent campaigns, attackers used SMS phishing and SIM swapping to steal credentials, then used those credentials to log into Microsoft Entra ID (Azure AD). Once inside, they silently modified mailboxes in Exchange Online, established backdoor trust relationships, and pivoted into Azure cloud workloads.

Traditional tools struggled to catch them because the attackers used legitimate credentials. SIEM, CASB, and IAM platforms did not generate alerts once the credentials were valid, which meant the activity looked like normal user behavior. The SOC only saw signs of the breach after critical systems were already exposed.

Anatomy of a Scattered Spider (UNC3944) attack

With NDR in place, these activities would not have blended in. NDR can detect risky sign-ins, mailbox manipulation, and identity privilege anomalies in real time. Instead of investigating weeks later, SOC teams could have spotted the attacker’s movement across Microsoft 365 and Azure at the moment it happened, stopping the pivot before sensitive data was accessed.

2. Volt Typhoon: Persistence Through DNS Tunnels

Volt Typhoon is a state-sponsored group that compromised organizations by starting with a home office foothold. They relied on Earthworm, a fast reverse proxy, and used DNS tunneling for command-and-control callbacks. From there, they leveraged brute force and PowerShell abuse to expand access and maintain persistence inside Windows environments.

These activities blended into the noise of normal traffic. DNS tunneling was hidden inside allowed protocols, valid credential use looked legitimate, and PowerShell scripts appeared similar to standard IT operations. Traditional EDR and IAM tools either missed the signals or failed to flag them as malicious.

Anatomy of a Volt Typhoon Attack

An NDR platform would have surfaced the attack in several ways. It can detect hidden DNS tunnels, identify brute force attempts, and highlight suspicious PowerShell activity that falls outside normal behavior. By correlating these signals across the network and identity layers, NDR gives SOC analysts the visibility they need to detect an attacker before critical systems are compromised.

3. Mango Sandstorm: From Server Exploit to Azure Destruction

Mango Sandstorm exploited an internet-facing server to gain initial access. After establishing control, they moved laterally via RDP and RPC using compromised accounts. The attackers then pivoted into Azure AD and targeted the Azure environment directly, ultimately leading to mass resource deletion of servers, disks, and databases.

The attack was missed because traditional tools could not correlate activity across environments. EDR agents focused on endpoints, while log tools were siloed and lacked visibility into the lateral moves between on-premises systems and the cloud.

Anatomy of a Mango Sandstorm attack

With NDR, the sequence would have looked very different. Behavioral detections for RPC reconnaissance, suspicious privilege escalation, and anomalous Azure activity would have triggered early in the chain. Instead of a large-scale breach and resource destruction, SOC teams would have been able to contain the threat during the lateral movement stage.

4. UNC3886: Zero-Day Exploits in Trusted Zones

UNC3886 is a sophisticated threat group that exploited zero-day vulnerabilities in Fortinet and VMware vCenter to gain access. They installed custom malware on ESXi hypervisors and then used DNS tunneling and other stealth techniques to exfiltrate data.

These environments were difficult to monitor with traditional tools. EDR agents could not be deployed on ESXi, SIEM had no visibility into east-west traffic, and prevention controls had no known indicators to match against. As a result, the attacker persisted undetected for extended periods.

Anatomy of a UNC3886 attack

NDR provides the missing visibility in this type of scenario. By analyzing packet flows and metadata directly, NDR detects hidden HTTPS tunnels, suspicious administrative anomalies, and lateral reconnaissance inside high-trust zones. This allows SOC teams to uncover and stop attacks that bypass both prevention and endpoint-based defenses.

Key Takeaways

Across all four examples, the common thread is clear:

  • Advanced adversaries did not need malware or obvious exploits to succeed.
  • They relied on stolen credentials, hidden tunnels, and legitimate tools to operate under the radar.
  • Traditional controls missed them because those behaviors looked normal at first glance.

NDR changes the outcome. By focusing on behaviors in network traffic, it detects what other tools cannot see. Whether it is a DNS tunnel, a suspicious mailbox change, or a lateral move to the cloud, NDR exposes attackers before they reach their objectives.

For SOC teams, this means the difference between investigating a breach weeks later and stopping an intrusion in real time.

Not convinced yet?