Host Isolation will occur when Huntress identifies critical malware incidents known for spreading quickly through networks, such as ransomware. The host will be isolated from the organization’s network, only allowing connectivity between Huntress.io (our portal) and the isolated computer.
Host isolation will take effect after a Huntress ThreatOps Analyst sends the incident report for the infected host. Hosts will be "released" from isolation when the incident report is resolved. At any time, account administrators can manually release a host from isolation by navigating to the host details page and clicking release host. Admins will also be able to manually isolate hosts, although Huntress strives to do this for partners when we are 100% sure of an active threat (once opted-in to Automated Host Isolation).
Host Isolation is in Public Beta. We are learning how our partners plan to use this new feature, what problems it is solving, as well what problems it isn’t solving. We look forward to hearing from you, shoot us an email firstname.lastname@example.org!
Why enable Automated Host Isolation?
- Malware can quickly spread through an organization's network.
- Humans are not always online to respond to attacks.
- Isolating an incident can buy your organization invaluable time when determining and implementing remediation actions.
How does Huntress isolate hosts?
Huntress uses Windows Group Policy (GPO) to restrict network connectivity, allowing only essential services to communicate, along with connections to Huntress.io.
Note: Hosts that are joined to a Windows Domain will require a reboot to release a host from isolation.
Why is a reboot required? When a host is joined to a domain, reverting the local group policies that were set during isolation is not sufficient for releasing the host. Huntress must reboot the host to allow the firewall configuration and local GPO rules to be reset. The host can then resume communication with the network.
When do we isolate?
When authorized by partners within Account Settings, Huntress will isolate hosts that are infected with critical severity malware. The Huntress Threat Operations Team will review the infection and network isolation will occur when the incident report is sent to the partner.
- Ransomware events
- Cobalt Strike
Opting Into Automated Host Isolation
By default, all accounts will be opted out of automated host isolation (but opted in to manual host isolation).
Enabling automated isolation at the account level will authorize Huntress to restrict the network connectivity of infected hosts during critical malware incidents. Hosts that are not explicitly excluded in Isolation Exclusion Settings will be eligible for network isolation.
Enable automated isolation by going into the hamburger menu at the top right, then clicking on settings. At the very bottom of the page you can flip between Automated and Manual Host Isolation.
Isolation Exclusion Settings
Account administrators can exclude entire organizations or individual hosts from automated host isolation. Exclusions should be used sparingly since excluded hosts are not eligible for automated isolation. If malware is detected on an excluded host, Huntress will not be authorized to restrict the host’s network connectivity.
You can access Host Isolation Exclusions by scrolling to the bottom of your account settings page (hamburger menu at the top right, then click on settings).
Partners will always be able to manually isolate hosts, regardless of exclusions.
At any time, partners can isolate and release hosts from the individual Host Overview Page.
Host Isolation Scenario
Ransomware is spreading through a Partners network
What actions do Huntress take?
1. An Incident Report is automatically opened due to a tripped ransomware canary.
2. The report is immediately reviewed by a human threat hunter to ensure it is not a false positive (ThreatOps is manned 24/7).
3. The report is sent ASAP and the host is automatically isolated.
Supported Agent Versions & Operating Systems
Host Isolation is supported on Huntress Agent Version 0.12.30 and higher. If a host is running an older agent version it will not eligible for manual or automated host isolation.
Devices running Windows Home Edition are currently not supported for host isolation.
Configurations to Watch Out For
The following network/host configurations could cause host isolation to fail:
- Computers that require VPN connectivity for internet access (always-on VPNs).
- Any machine that is joined to an Active Directory Domain that is unable to communicate with a domain controller will be unable to set local policies and therefore will be unable to Host Isolate. You can check DC connectivity on the machine with the PowerShell command
- Computers that have their Windows firewall disabled by domain level GPO or have other domain level firewall settings taking precedent over local GPO settings.
- Computers that must connect out through a proxy server. In general Huntress does not work with proxies. See more info here!
- If a network's Domain Controller (DC) is already isolated and there is no backup DC, then the other hosts in that network will not be isolatable by Huntress.
- If a network's DC is also the DNS resolver for that network and the DC is isolated; Huntress will not be able to communicate with any of the hosts within that network.
Note: If the host has non-default local group policy firewall settings (not global) set, they will be wiped when releasing the host from isolation.