The 80/20 Problem in Network Detection
Your network detection and response platform sees the majority of your traffic. HTTP and HTTPS requests. Email flows. File transfers. DNS queries. Authentication events. For standard business traffic, your NDR probably does an excellent job of monitoring, baselining and alerting on anomalies.
That is the 80%.
The other 20% is where things get interesting. The 20% your NDR misses is exactly where attackers operate. Not by accident. By design. Sophisticated threat actors study detection tools the same way we study attack techniques. They know what your tools watch and they know what your tools cannot watch. Then they operate in the gaps.
Gap 1: Encrypted Tunnels
Encryption is a double-edged sword for network security. It protects your data in transit. It also protects an attacker's data in transit.
When an attacker establishes an encrypted tunnel from a compromised internal host to an external command-and-control server, your NDR sees the connection metadata: source IP, destination IP, port, packet sizes and timing. It does not see the content. It cannot tell the difference between an encrypted tunnel carrying stolen financial data and an encrypted tunnel carrying a legitimate video call.
Modern attack frameworks default to encrypted channels. Cobalt Strike uses HTTPS by default. Sliver supports mTLS, WireGuard and HTTPS. Mythic uses encrypted websockets. The entire offensive tooling ecosystem has evolved specifically to hide inside the encrypted traffic that NDR tools struggle to inspect.
Without SSL/TLS interception at a proxy or firewall, encrypted tunnels are a structural blind spot. And even with interception, tunnels that use certificate pinning or custom encryption layers remain invisible.
Gap 2: DNS Exfiltration
DNS is the protocol that most organizations monitor the least. It is ubiquitous, high-volume and considered infrastructure rather than a security concern. That makes it the perfect exfiltration channel.
DNS exfiltration works by encoding data into DNS queries. Instead of requesting the IP address for "www.example.com," the attacker's tool requests the IP for "SGVsbG8gV29ybGQ.attacker-domain.com." The encoded data (in this case, "Hello World" in base64) is transmitted as a subdomain label to the attacker's DNS server.
At low throughput, DNS exfiltration is nearly undetectable. Your network generates thousands of DNS queries per minute. A few dozen extra queries per hour, each carrying a few bytes of encoded data, are statistically invisible. Over days or weeks, gigabytes of data can leave your network through a channel your NDR is not designed to deeply inspect.
Some NDR tools flag high volumes of DNS queries or unusually long subdomain labels. But sophisticated tools randomize query lengths, vary timing intervals and use multiple subdomain patterns to stay under detection thresholds.
Gap 3: ICMP Tunnels
ICMP (Internet Control Message Protocol) is the protocol behind ping and traceroute. Most organizations allow ICMP through their firewalls because blocking it breaks network troubleshooting. Most NDR tools monitor ICMP for anomalous patterns but do not deeply inspect ICMP payload content.
ICMP tunneling encodes data in the payload section of ICMP echo request and reply packets. To the NDR, it looks like ping traffic. The device is pinging an external host. That is normal behavior for many devices. What the NDR does not see is that the "ping" traffic is carrying command-and-control instructions or exfiltrated data.
Tools like icmpsh, ptunnel and hans make ICMP tunneling straightforward. They are freely available and well-documented. An attacker with shell access to an internal host can establish ICMP-based command-and-control in minutes.
Gap 4: Non-Standard Port Usage
NDR tools often classify traffic based on port numbers. Traffic on port 443 is HTTPS. Traffic on port 22 is SSH. Traffic on port 53 is DNS. This classification drives detection rules and behavioral models.
Attackers exploit this by running protocols on unexpected ports. SSH on port 443 looks like HTTPS to a port-based classifier. HTTP on port 8080 may not receive the same inspection as HTTP on port 80. Custom protocols on high-numbered ports may not trigger any classification at all.
Deep packet inspection (DPI) can identify protocols regardless of port number, but DPI is computationally expensive and not always enabled on all traffic. High-volume environments often sample traffic rather than inspecting every packet, which creates additional gaps.
Gap 5: Identity Rotation
One of the most effective evasion techniques against behavioral NDR tools is identity rotation. An attacker who compromises multiple credentials can switch between them during an operation, spreading activity across multiple user identities.
From the NDR's perspective, each identity performs a small amount of activity that falls within normal behavioral parameters. User A accesses three file shares. User B accesses four file shares. User C accesses two file shares. Individually, none of these activities are anomalous. Collectively, they represent a single attacker mapping the entire file server infrastructure.
Correlating activity across identity changes requires the NDR to detect that multiple user sessions originate from the same source, which is complicated by MAC address spoofing and hostname cloning. If the attacker rotates both credentials and device identifiers, the correlation challenge becomes significantly harder.
What the 20% Means for Your Security Posture
The 20% is not random. It is the specific traffic categories that attackers use because they know detection is weak. Every advanced persistent threat (APT) group uses encrypted tunnels. Every sophisticated ransomware operator uses DNS or ICMP for initial beacon callbacks. Every red team engagement exploits identity rotation.
If your NDR sees 80% of traffic, you have 80% coverage. That sounds good until you realize that 100% of sophisticated attacks target the other 20%. Your coverage is strong where attacks are weak and weak where attacks are strong.
Closing the Gaps
Closing these gaps requires a combination of architectural changes, configuration improvements and complementary controls:
- SSL/TLS interception: Deploy transparent proxies or firewall-based TLS inspection to give your NDR visibility into encrypted traffic content
- DNS security: Deploy dedicated DNS security tools that analyze query patterns, subdomain entropy and response payloads at a level of depth that general-purpose NDR tools do not provide
- ICMP policy: Restrict ICMP to essential use cases. Block ICMP echo requests from workstations to external destinations. Monitor ICMP payload sizes for anomalies
- Protocol-aware inspection: Enable deep packet inspection that classifies traffic by protocol content rather than port number
- Identity correlation: Implement UEBA (User and Entity Behavior Analytics) tools that correlate activity across identity changes based on source device, timing and access patterns
But before implementing any of these controls, you need to know which gaps exist in your specific environment. That requires independent validation.
At Sherlock Forensics, ShadowTap validation tests each of these five gap categories against your production network. The result is a quantified coverage map that tells you exactly where your NDR sees clearly, where it sees dimly and where it is blind.