Team: Huntress EDR
Product: Host Isolation
Environment: Huntress Platform
Summary: How Host Isolation is determined by our system, along with how to create exclusions and manually isolate the host.
The Huntress ThreatOps team determines when a ‘Host-Isolation’-worthy incident has occurred, usually defined as the infection of malware that is known to quickly spread (e.g., Emotet, Trickbot etc.). The host will be isolated from the organization’s network, only allowing connectivity between Huntress.io (our portal) and the isolated computer.
Host isolation will take effect after a Huntress ThreatOps Analyst sends the incident report for the infected host. Hosts will be "released" from isolation when the incident report is resolved*. At any time, account administrators can manually release a host from isolation by using Self Managed Isolation. Admins will also be able to manually isolate hosts, although Huntress strives to do this for partners when we are 100% sure of an active threat.
Note: All accounts are opted into Huntress Managed Host Isolation by default
Benefits of Huntress Managed Host Isolation
- Malware can quickly spread through an organization's network and MSP technicians are not always online to respond to attacks.
- Leveraging Huntress's 24 x 7 Threat Operations Center to manage isolation of attacks can buy your organization invaluable time when determining and implementing remediation actions.
When do we isolate?
If authorized in Account Settings, Huntress's ThreatOps team will assess the need for Host Isolation based on the potential impact of the cyber attack. If deemed necessary, the host will be isolated once a Huntress Threat Hunter sends the incident report to the partner.
- Ransomware events
- Cobalt Strike
Opting Into Managed Host Isolation
By default, all accounts are opted into Huntress Managed Host Isolation.
When Managed Isolation is enabled at the account level within Account Settings, Threat Ops is authorized to restrict network connectivity of infected hosts at their discretion during malware incidents. Hosts that are not explicitly excluded in Isolation Exclusion Settings will be eligible for network isolation.
Disabling Huntress Managed Host Isolation will prevent Huntress Threat Operation analysts from isolating malware incidents on infected hosts within your account.
** This is not recommended **
If you have a specific host or organization that you never want isolated, we recommend using Host Isolation Exclusions.
Isolation Exclusion Settings
Account administrators can exclude entire organizations or individual hosts from Managed Host Isolation. Exclusions should be used sparingly since excluded hosts are not eligible for isolation. If malware is detected on an excluded host, Huntress will not be authorized to restrict the host’s network connectivity.
You can access Host Isolation Exclusions by scrolling to the bottom of your account settings page (hamburger menu at the top right, then click on settings).
Note: Partners will always be able to manually isolate hosts, regardless of exclusions.
Self Managed Isolation
At any time, partners can isolate and release hosts from the Host Overview Page.
Host Isolation Scenario
Ransomware is spreading through a Partners network
What actions does Huntress take?
1. An Incident Report is automatically opened due to a tripped ransomware canary.
2. The report is immediately reviewed by a human threat hunter to ensure it is not a false positive (ThreatOps is manned 24/7).
3. The report is sent ASAP and the host is isolated on send.
Resolving Incidents and Releasing Isolated Hosts:
For an incident to be resolved and the host to be released automatically, the Huntress Portal will need verification that a reboot occurred.
Whenever a host is isolated due to an active incident, a reboot Assisted Remediation step is included in the remediation plan. The reboot can be run automatically via Assisted Remediations or manually.
Learn more about releasing a host from isolation after an incident:
- Manual Remediation: Manual Remediation for Active Incidents
- Assisted Remediation here: Using Assisted Remediation
How does Huntress isolate hosts?
Huntress uses Windows Filtering Platform or Windows Group Policy (GPO) as a fallback mechanism to manage the host firewall. The rules applied by Huntress block all inbound and outbound network connections unless the connection is destined for a Huntress service (the Huntress agent + updater) or other essential services (DNS + DHCP). Learn more about how we isolate here: Host Isolation - How Huntress Isolates
Supported Agent Versions & Operating Systems
Host Isolation is supported on Huntress Agent Version 0.13.4 and higher. If a host is running an older agent version it not eligible for Self Managed or Huntress Managed host isolation. See a list of all of our supported operating systems here: Supported Operating Systems / System Requirements
Configurations to Watch Out For
The following network/host configurations could cause host isolation to fail:
- Huntress does not recommend isolating a host with multiple host isolation solutions at the same time. Unforeseen connectivity issues may arise. (i.e isolating with Sentinel One AND Huntress)
- Computers that require VPN connectivity for internet access (always-on VPNs).
- Computers that must connect out through a proxy server. In general Huntress does not work with proxies. See more info here!
- If a network's DC is also the DNS resolver for that network and the DC is isolated; Huntress will not be able to communicate with any of the hosts within that network.
- If a network's Domain Controller (DC) is isolated and there is no backup DC, then the other hosts in that network will not be isolatable by Huntress.