Full Network Visibility: The Foundation of Protection Against EDR-Dodging Attackers

EDR has become so effective at stopping malware infections early on that cybercriminals are increasingly turning to techniques that allow them to operate beyond the reach of such tools. As indicated by ExtraHop, the three most commonly used approaches are:

1️⃣ Credential theft

Stealing logins and passwords is currently the most popular method to gain access to an organization’s resources. According to the 2024 Verizon Data Breach Investigations Report, credential theft played a role in more than half of all analyzed breaches. When attackers impersonate a legitimate user, they do not raise suspicions in EDR systems – which gives them time to assess the environment and prepare subsequent stages of the attack.

2️⃣ Exploiting vulnerabilities

The growing number of vulnerabilities – including zero-day ones, in both server software and security solutions themselves – provides cybercriminals with an ideal pathway into the depths of the organization’s network without needing to interact with endpoints. More of them are using specialized tools known as EDR killers, capable of disabling or bypassing EDR agents.

3️⃣ Living off the land – using built-in system tools

Instead of deploying classic malware, attackers eagerly use tools already available in the system – such as PowerShell, found on every Windows device. This allows adversaries to execute commands, move around the network, and exfiltrate data without triggering antivirus alerts or malware signatures. This approach is much harder to detect because it doesn’t generate classic malware artifacts.

EDR remains a crucial pillar of endpoint protection and – as emphasized by ExtraHop – still constitutes an essential element of any mature security ecosystem. However, the complexity of modern IT environments and the increasing creativity of cybercriminals mean that such solutions have natural limitations.

Increasingly, attackers operate in areas over which the EDR agent does not have full control or monitoring capabilities – on infrastructure devices (IoT, printers, or servers), in environment segments lacking agents, by using legitimate system tools, or hiding their activities in encrypted, uninspected network traffic.

As a result, organizations receive an incomplete picture of what is actually happening in the environment. To get a full picture of the attack and understand the entire sequence of the attacker’s actions, a second, complementary source of data is essential.

Network Detection and Response (NDR) provides insights that EDR cannot deliver – including a complete analysis of network traffic both north-south and east-west, regardless of whether monitored devices have installed agents.

This is because the network provides unique threat data that is difficult to obtain in other ways:

1. Attackers cannot bypass the network – Every step performed by an attacker – connections to C2 servers, resource scanning, exfiltration-preparatory traffic – must go through the network. This means that packets leave a permanent, indisputable trail that allows actual attacker activity to be reconstructed, even if they are using hiding techniques or fileless tools.
2. The network reveals the activity of devices not covered by EDR – In every environment, there are devices without agents – cameras, printers, IoT, domain controllers, database servers, or other resources. Every device generates traffic and can thus reveal attack symptoms. Studies show that as much as 47% of key devices are exposed to the public internet, making them attractive targets. Only network traffic analysis allows the detection of threats directed at such elements.
3. Network data is not available anywhere else – Firewalls monitor only north-south traffic, so they will not detect actions conducted within the internal network. Meanwhile, it is precisely in east-west traffic where attackers hide the longest – conducting reconnaissance, performing lateral movement, and preparing the most destructive attack stages, such as ransomware. Only NDR provides full insight into these processes.

ExtraHop highlights that the most effective strategy for SOC teams is to integrate three key layers – EDR, NDR, and SIEM – which together provide comprehensive, multi-dimensional visibility and effective threat response. Such a combination enables:

• faster threat detection through the correlation of data from various sources,
• full incident context, including both endpoint activity and network traffic,
• automation of defense actions, reducing SOC response time,
• higher quality alerts, based on a richer, more reliable data set,
• retrospective threat analysis based on rich historical metadata and complete network context.

It is precisely the network layer that provides organizations with a crucial strategic advantage: defenders need only one successful detection to stop an attack, while the attacker must remain invisible throughout their operations.

Implementing a network-based analytical layer, such as ExtraHop RevealX, is not only a response to the increasing number of attacks but primarily a strategic investment in organizational resilience. With capabilities for full visibility into network traffic, advanced analytics, and immediate alerts, NDR allows for faster anomaly identification, reduces response time, and strengthens existing protections with crucial data that no other source provides.

The combination of EDR, NDR, and SIEM enables organizations not only to quickly detect attacks but also to understand their full context and take appropriate actions at the right moment. If you want to learn how ExtraHop solutions can enhance your infrastructure’s security and significantly improve your SOC’s capabilities, feel free to contact us. As an official distributor of ExtraHop, we are happy to present the full capabilities of the RevealX platform and help select the solution best suited to your organization’s needs!

And if you want access to the full content of the e-book “The Attacker’s Dilemma” by ExtraHop, contact us!