Google's Threat Intelligence Group and Anthropic have documented adversaries using Large Language Models to conceal code and orchestrate autonomous cyber espionage campaigns. These AI-driven attacks, combined with steganography and social engineering tactics, are successfully evading traditional endpoint detection and response (EDR) systems. The article explores why a combined NDR and EDR approach is now essential for defense.
The cybersecurity arms race has entered a new phase. Adversaries are no longer just writing better malware; they're using artificial intelligence to create attacks that adapt in real-time, hiding their tracks more effectively than ever before. Google's Threat Intelligence Group recently reported on threat actors using Large Language Models (LLMs) to both conceal code and generate malicious scripts on the fly, letting malware shape-shift to evade conventional defenses. This isn't theoretical—it's happening now.
In November 2025, Anthropic documented what it described as the first known "AI-orchestrated cyber espionage campaign." This operation featured AI integrated throughout the attack lifecycle, from initial access to exfiltration, executed largely autonomously by the AI itself. The campaign demonstrated how machine learning can automate complex attack chains that previously required human coordination and decision-making.
The Evasion Toolkit Gets Smarter
Recent attack trends reveal multiple techniques designed to bypass traditional security controls. ClickFix-related attacks using steganography—hiding malware within image files—have slipped past signature-based scans. These attacks skillfully disguise themselves as legitimate software update screens or CAPTCHAs, deceiving users into deploying remote access trojans (RATs), info-stealers, and other malware payloads on their own devices.
Adversaries are also exploiting ways to trigger and then compromise anti-virus (AV) exclusion rules. Research from Microsoft's threat team in October 2025 identified a threat actor they call Octo Tempest that convinced victims to disable various security products and automatically delete email notifications. These steps allowed malware to spread across enterprise networks without tripping endpoint alerts. Actors are also easily deploying dynamic and adaptive tools that specialize in detecting and disabling AV software on endpoints.
All these techniques share a common thread: the ability to evade legacy defenses such as endpoint detection and response (EDR), exposing the limitations of relying solely on EDR. Their success illustrates where EDR, acting alone and without additional defensive measures, can be vulnerable.
Why EDR Alone Isn't Enough
EDR systems focus on what happens inside each specific endpoint. They monitor processes, file changes, registry modifications, and other endpoint activities. This is valuable, but it creates a blind spot: network traffic. When malware communicates with command-and-control servers, exfiltrates data, or moves laterally between systems, EDR might not see the full picture if the endpoint itself is compromised or if the malware uses sophisticated evasion techniques.
Some EDR systems weren't designed for the speed and scale of AI-fueled attacks. AI can generate and deploy malware variants faster than signature updates can keep pace. It can also make decisions about which systems to target and when to strike, operating at machine speed that outpaces human analysts.
The NDR Safety Net
Network detection and response (NDR) continuously monitors the network environment, detecting threats as they traverse the organization. It excels at picking up what EDR does not, identifying behavioral anomalies and deviations from typical network patterns. In the age of AI-based threats, there is a need for both kinds of systems to work together, especially as these attacks can operate at higher speeds and greater scale.
NDR can detect:
- Unusual data flows that indicate data exfiltration
- Command-and-control communications that EDR might miss if the endpoint is compromised
- Lateral movement between systems
- Anomalous protocols or ports being used
Real-World Examples of Combined Defense
The value of combining NDR and EDR becomes clear in real attack scenarios:
Blockade Spider Ransomware Attacks: This group, active since April 2024, uses mixed domains for ransomware attacks. After gaining access through unmanaged systems, they move laterally across networks, searching for files to encrypt. The full breadth of their approach was discovered by using NDR to obtain visibility into virtual systems and cloud properties, then using EDR as soon as the attack moved across the network into managed endpoints. Without NDR, the initial compromise of unmanaged systems might have gone unnoticed.
Volt Typhoon Attack: This 2023 attack, attributed to Chinese state-sponsored actors, used living off the land (LoTL) techniques to avoid endpoint detection. The actors targeted unmanaged network edge devices like SOHO routers and IoT hardware. They altered originating packets to appear to come from a cable modem in Texas rather than a direct link to a Chinese IP address. What gave the game away was network traffic analysis. While they successfully avoided EDR, variations in network traffic volume detected by NDR indicated the cable modem traffic was hiding something far more nefarious. In this case, NDR served as a security safety net by detecting malicious activity that slipped past EDR systems.
Remote Work Vulnerabilities: As VPNs have become more widely used to support remote workforces, they pose new opportunities for exploitation. A lack of visibility on remote networks means a compromised endpoint on a trusted connection can introduce damage to the organization's environment. If an EDR doesn't detect that a local machine running the VPN is already infected with malware, it can easily spread across an enterprise once the machine connects to the corporate network. Compromised VPNs can also hide lateral network movement that disguises itself amongst typical network operations and management tools.
Salesforce Supply Chain Breaches: Two recent breaches were accomplished by using AI to harvest OAuth credentials to gain unauthorized access to various customer accounts. NDR can identify weak entry and transit points, helping identify the riskiest areas to fix first, and EDR can share the evidence of a compromised account being used as a pivot point.
The Expanding Attack Surface
Compounding the challenge is that today's attack surface is expanding and growing more complex. Sophisticated threat actors now combine threats that move across a variety of domains, compromising identity, endpoint, cloud, and on-premises infrastructure in a lethal mix. This means the corresponding security systems in each of these focus areas need to work together, sharing metadata and other signals, to find and stop these threats.
The bad actors hide behind this complexity to maximize their reach, increase their blast radius, and provide cover while they use different hacking tools to assume various roles and focus on different intermediate targets.
Building a Combined Defense Strategy
Organizations need to move beyond thinking in terms of "EDR vs. NDR" and instead adopt a "both/and" approach. Here are practical steps:
Integrate Detection Systems: Ensure your EDR and NDR solutions can share intelligence. Look for platforms that support common data formats and APIs for cross-platform correlation.
Focus on Behavioral Analysis: Both EDR and NDR should emphasize behavioral detection over signature-based approaches. This is critical for catching AI-generated threats that mutate rapidly.
Establish Baselines: Understand normal network and endpoint behavior. This makes anomalous activity—whether from AI-driven attacks or human operators—stand out more clearly.
Prioritize Visibility: Ensure you have coverage across all assets, including unmanaged devices, cloud instances, and remote endpoints. Gaps in visibility create opportunities for attackers.
Automate Response: Given the speed of AI-driven attacks, manual response is often too slow. Implement automated playbooks that can trigger based on correlated alerts from both EDR and NDR systems.
Regular Testing: Conduct purple team exercises that simulate AI-driven attacks. Test whether your combined EDR and NDR can detect and respond to these novel threats.
The Role of Open NDR
Platforms like Corelight's Open NDR enable security operations centers (SOCs) to detect novel attack types, including those leveraging AI techniques. Their multi-layered detection approach includes behavioral and anomaly detections that can identify a range of unique and unusual network activity. As adversaries develop new methods of evading EDR systems, security teams that deploy NDR can strengthen their enterprise's defensive posture.
Looking Ahead
Adversaries will grow more capable as AI evolves. We can expect to see:
- AI systems that automatically probe for and exploit vulnerabilities
- Malware that uses reinforcement learning to optimize evasion techniques
- Deepfake-based social engineering attacks that are more convincing than ever
- Automated attack campaigns that can adapt to defensive measures in real-time
This evolution makes the combined approach essential for reducing risk and improving your organization's ability to respond quickly and decisively. The question is no longer whether to combine EDR and NDR, but how quickly you can implement this strategy before the next wave of AI-driven attacks reaches your organization.
The cybersecurity landscape has fundamentally changed. Defenders must change with it, moving from isolated point solutions to integrated defense systems that can see and stop threats across the entire attack surface. Only then can we hope to stay ahead of adversaries who are increasingly using the same AI technologies that are transforming our world for malicious purposes.
This article is a contributed piece from one of our valued partners.
Comments
Please log in or register to join the discussion