The following example is of an unstructured hunt technique—an investigation based on an idea or hypothesis derived from previous experience and knowledge. In the screenshot below, we initiated a hunt based on the assumption that there is a misconfigured web server being used by internal hosts or provided as a service within the organization.
During this investigation, we discovered unauthorized access to a “root” folder, a critical security risk. This type of exposure is dangerous because it can provide malware or intruders with unnecessary access, leak sensitive information, and potentially be exploited for further attacks.
About this blog series:
This blog series explores the benefits of Clear NDRTM, focusing on how its multi-layered detection reduces the total cost of ownership while delivering unparalleled visibility.
Each article in the series highlights real-world examples from an actual Clear NDR deployment, demonstrating how its insights and threat detection capabilities benefited multiple teams across an organization—including Compliance, Security, and Network teams. Through a combination of automation, AI, and customization, Clear NDR provides actionable intelligence backed by strong evidence, enabling faster Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
No single detection algorithm is perfect. Every approach has strengths and weaknesses, excelling in certain areas while others fall short. That’s why Clear NDR takes a multi-layered detection approach, ensuring that no single method is solely responsible for uncovering threats.
The teams involved in the use cases shared in this blog series benefited from the data, visibility, and evidence that Clear NDR provided, enabling them to take remedial actions against policy violations, Zero Trust architecture gaps, misconfigurations, and other security risks. Ultimately, this led to reduced threat exposure and improved security posture.
Gathering the Complete Body of Evidence
With a single click, we can open the relevant detection event and immediately access all necessary evidence, including:
- Supporting file data
- Protocol and flow logs
- PCAP of the transactions
- Detection logic that triggered the alert
This level of immediate visibility enables security teams to quickly assess the situation, determine the extent of the risk, and take appropriate remediation actions before an incident escalates.
The Role of PCAP in Incident Response
In many cases, security analysts need to review the specific PCAP as the ultimate source of network evidence for a communication event. This is often necessary to gain deeper insights into who or what is responsible for the unexpected activity, as well as to uncover additional details relevant to incident response. Examining the full packet capture helps analysts identify Indicators of Compromise (IoCs), understand the exact nature of the activity, and determine the appropriate next steps for remediation.
As shown in the screenshot below, this information is readily available with a single click—or through a REST API call if integrated with a SIEM or SOAR platform—providing immediate access to the full transaction PCAP for further investigation.
Analyzing the Root Cause
In the screenshot below, we see a fully reconstructed session from the PCAP, revealing the misconfigured application and the actions attempted against it. This level of detail allows security analysts to determine the next steps for remediation and assess the potential damage or malicious intent behind the activity. The evidence confirms that access to the “root” folder would be granted if the correct credentials were provided—a critical security risk.
With just a few clicks, Clear NDR enables security professionals to quickly validate whether a detection or escalation event is a true or false positive. This drastically reduces investigation time, allowing teams to reach conclusions in a fraction of the time it would take with traditional methods. By providing comprehensive evidence upfront, including packet captures, detection logic, and flow data, Clear NDR eliminates the black-box effect often associated with vendor secrecy and lack of transparency in detection logic.
Conclusion
Clear NDR is a powerful tool for identifying and addressing misconfigured web servers before they become a security risk. By offering detailed visibility into network traffic and contextual insights, it enables security teams to quickly uncover vulnerabilities, such as unauthorized access to critical directories like the “root” folder. With its seamless ability to link detection events to supporting logs, transaction captures, and detection logic, Clear NDR removes the uncertainty and black-box effect often associated with traditional security solutions.
This level of transparency, combined with fast, data-driven decision-making, empowers teams to act rapidly—confirming whether an incident is a legitimate threat or a false positive—and take corrective action to mitigate risks. Ultimately, Clear NDR helps ensure that security teams can identify misconfigurations efficiently, reducing exposure and reinforcing the overall security posture of the organization.
More Real-World Examples
This is just one example of how Clear NDR delivers precise and transparent evidence-backed threat detection. Stay tuned for the next blog in this series, where we’ll dive into another real-world security scenario and how Clear NDR made a difference.
For those organizations wondering if adding NDR to their security strategy is the right choice, the most effective way to discover that answer is by engaging in a POV with the experts at Stamus Networks.
To determine if NDR is right for your organization, use the button below to book a demo and speak to our team. We would love to hear about your network and see how Clear NDR can help. To stay updated with new blog posts and other news from Stamus Networks, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord (links below).
