Key Takeaways:
- Adversaries are using Artificial Intelligence (AI) to innovate and improve their attack strategies, making them harder to detect.
- The rise of AI-based threats requires a combination of Endpoint Detection and Response (EDR) and Network Detection and Response (NDR) to effectively defend against attacks.
- EDR and NDR bring different protective benefits, with EDR focused on individual endpoints and NDR monitoring the network environment.
- The expanding attack surface and growing complexity of threats require security systems to work together, sharing metadata and signals to find and stop threats.
- The use of AI, steganography, and social engineering techniques is becoming more prevalent in cyber attacks, making it essential to have a comprehensive defense strategy.
Introduction to the Evolving Cyber Threat Landscape
The cyber threat landscape is constantly evolving, with adversaries innovating and improving their attack strategies. The rise of AI is transforming the way attacks are carried out, making them more sophisticated and harder to detect. According to Google’s Threat Intelligence Group, adversaries are using Large Language Models (LLMs) to conceal code and generate malicious scripts on the fly, allowing malware to shape-shift in real-time and evade conventional defenses. This has led to a significant increase in the use of AI-orchestrated cyber espionage campaigns, where AI is integrated throughout the stages of attack, from initial access to exfiltration.
The Rise of AI-Based Threats
In November 2025, Anthropic reported on the first known "AI-orchestrated cyber espionage campaign," which featured AI integrated throughout the stages of attack. This operation was executed largely autonomously by the AI itself, demonstrating the unprecedented sophistication and deception of these novel attacks. Another recent trend concerns ClickFix-related attacks using steganography techniques, which involve hiding malware within image files that slip past signature-based scans. These attacks are skillfully disguised as legitimate software update screens or CAPTCHAs, deceiving users into deploying remote access trojans (RATs), info-stealers, and other malware payloads on their own devices.
Exploiting Anti-Virus Exclusion Rules
Adversaries are also exploiting ways to trigger and compromise anti-virus (AV) exclusion rules by using a combination of social engineering, attack-in-the-middle, and SIM swapping techniques. According to research from Microsoft’s threat team, the threat actor known as Octo Tempest convinced its victims to disable various security products and automatically delete email notifications, allowing their malware to spread across an enterprise network without tripping endpoint alerts. Actors are also easily deploying dynamic and adaptive tools that specialize in detecting and disabling AV software on endpoints. These techniques share a common thread: the ability to evade legacy defenses such as endpoint detection and response (EDR), exposing the limitations of relying solely on EDR.
The Need for NDR and EDR
Network detection and response (NDR) and EDR both bring different protective benefits. EDR is focused on what is happening inside each specific endpoint, whereas NDR continuously monitors the network environment, detecting threats as they traverse the organization. In the age of AI-based threats, there is a need for both kinds of systems to work together, especially as these attacks can operate at higher speeds and greater scale. Some EDR systems were not designed for the speed and scale of AI-fueled attacks, making it essential to have a complementary technology like NDR to strengthen defenses and gain deeper insights from network data.
Combining NDR and EDR for Enhanced Defense
The expanding attack surface and growing complexity of threats require security systems to work together, sharing metadata and signals to find and stop threats. Sophisticated threat actors now combine threats that move across a variety of domains, compromising identity, endpoint, cloud, and on-premises infrastructure in a lethal mix. This means that the corresponding security systems in each of these focus areas need to work together to provide comprehensive defense. The use of NDR and EDR in tandem enables defenders to spot innovative adversary techniques and respond quickly and decisively to emerging threats.
Real-World Examples of NDR and EDR in Action
The Blockade Spider group, active since April 2024, uses mixed domains for ransomware attacks, moving laterally across a network and searching for a file collection to encrypt. The full breadth of their approach was discovered by using NDR to obtain visibility into virtual systems and cloud properties, and then using EDR as soon as the attack moved across the network into managed endpoints. Another example is the Volt Typhoon attack, attributed to Chinese state-sponsored actors, which used living off the land (LoTL) techniques to avoid endpoint detection. NDR served as a security safety net by detecting malicious activity that slipped past EDR systems.
The Impact of Remote Work on Cybersecurity
The rising trend of remote work also adds vulnerability to the cyber threat landscape. As VPNs have become more widely used to support remote workforces, they pose new opportunities for exploitation. A lack of visibility on remote networks means a compromised endpoint on a trusted connection can introduce damage to the organization’s environment. If an EDR doesn’t detect that a local machine running the VPN is already infected with malware, it can easily spread across an enterprise once the machine connects to the corporate network. NDR can identify weak entry and transit points, helping identify the riskiest areas to fix first, and EDR can share the evidence of a compromised account being used as a pivot point.
Conclusion
In conclusion, the cyber threat landscape is evolving rapidly, with adversaries using AI to innovate and improve their attack strategies. The rise of AI-based threats requires a combination of EDR and NDR to effectively defend against attacks. By working together, these systems can provide comprehensive defense against sophisticated threats and help organizations reduce risk and improve their ability to respond quickly and decisively to emerging threats. As AI continues to evolve, it is essential to have a combined approach to cybersecurity, leveraging the benefits of both EDR and NDR to stay ahead of the threats.