About NDR Active threat intelligence

NDR Active Threat Intelligence uses Taegis NDR (also known as iSensor) high‑signal detection patterns, curated by Sophos Labs, to identify potentially malicious network traffic and active adversaries. The firewall detects and logs the events, and you can see them in the Sophos Firewall web admin console, Sophos Central, and the Sophos Data Lake. Alerts and detections from NDR Active Threat Intelligence are sent to the Sophos Data Lake. This lets Sophos MDR analysts and XDR customers to investigate threats, perform deeper analysis and more effectively identify adversary activity.

For information about how to configure NDR Active Threat Intelligence, see Configure NDR Active threat intelligence.

The following examples explain how NDR Active Threat Intelligence helps identify threats.

• Living‑off‑the‑land attack: Attackers misuse trusted system tools, such as Certutil, to secretly download malware.

  NDR Active Threat Intelligence detects the download of executable files initiated by legitimate system utilities.

• Compromised device turned attacker: A compromised device uses SSH to scan and target other systems, a technique seen in the NoaBot botnet.

  NDR Active Threat Intelligence detects SSH connections that indicate a compromised host scanning other SSH‑enabled systems to attempt brute‑force attacks and lateral movement.

• Malware phoning home: Suspicious HTTP traffic is generated over the standard DNS port to establish covert command‑and‑control communication.

  NDR Active Threat Intelligence detects HTTP GET requests sent to remote systems hosting web services on the standard DNS port.

• Stealth data exfiltration: Tools such as finger are used to quietly exfiltrate data or hide malware within image files.

  NDR Active Threat Intelligence detects data exfiltration attempts from Windows hosts involving the misuse of the finger tool, indicating potential compromise within the customer environment.