Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Endpoint Isolation
Environment: Huntress Platform
Summary: How Endpoint Isolation is determined by our system, along with how to create exclusions and manually isolate the Endpoint.
The Huntress Security Operations Center (SOC) determines when a "isolation worthy" incident has occurred, usually defined as the infection of malware that is known to quickly spread (e.g., Emotet, Trickbot etc.). Often these are Critical severity incidents, but not all Critical severity incidents warrant endpoint isolation. The endpoint will be isolated from the organization’s network, only allowing connectivity between Huntress.io (our portal) and the isolated computer.
Endpoint isolation will take effect after a Huntress SOC Analyst sends the incident report for the infected endpoint. Endpoints will be "released" from isolation when the incident report is resolved*. At any time, account administrators can manually release an endpoint from isolation by using Self Managed Isolation. Admins will also be able to manually isolate endpoints, although Huntress strives to do this for partners when we are 100% sure of an active threat.
Note: All accounts are opted into Huntress Managed Endpoint Isolation by default
With Huntress Agent version 0.13.192+
When the portal isolates an endpoint or if additional IP-blocking rules are added to the endpoint, they only exist for as long as the Huntress Agent is running. If the agent is shutdown, isolation and blocking will go away. When an endpoint is rebooted, and no release task has been sent, the endpoint will eventually (within a few minutes) re-apply the isolation and IP-blocking rules.
For releasing an endpoint, you can now simply shut the service down. If that's not possible, you can remove the following files, and restart the endpoint.
[HuntressInstallationDirectory]\huntress-isolation-rule-file
[HuntressInstallationDirectory]\huntress-ip-blocking-rule-file
Benefits of Huntress Managed Endpoint Isolation
- Malware can quickly spread through an organization's network and MSP technicians are not always online to respond to attacks.
- Leveraging Huntress's 24 x 7 SOC to manage isolation of attacks can buy your organization invaluable time when determining and implementing remediation actions.
When do we isolate?
If authorized in Account Settings, Huntress's SOC will assess the need for Endpoint Isolation based on the potential impact of the cyber attack. If deemed necessary, the endpoint will be isolated once a Huntress SOC Analyst sends the incident report to the partner.
Examples:
- Ransomware events
- Emotet
- Trickbot
- Cobalt Strike
Opting Into Managed Endpoint Isolation
By default, all accounts are opted into Huntress Managed Endpoint Isolation.
When Managed Isolation is enabled at the account level within Account Settings, the Huntress SOC is authorized to restrict network connectivity of infected endpoints at their discretion during malware incidents. Endpoints that are not explicitly excluded in Isolation Exclusion Settings will be eligible for network isolation.
Disabling Huntress Managed Endpoint Isolation will prevent Huntress SOC Analysts from isolating malware incidents on infected endpoints within your account.
** This is not recommended **
If you have a specific endpoint or organization that you never want isolated, we recommend using Exclude Endpoints or Organizations from Isolation.
Isolation Exclusion Settings
Account administrators can exclude entire organizations or individual endpoints from Managed Endpoint Isolation. Exclusions should be used sparingly since excluded endpoints are not eligible for isolation. If malware is detected on an excluded endpoints, Huntress will not be authorized to restrict the endpoint’s network connectivity.
You can access Endpoint Isolation Exclusions by scrolling to the bottom of your account settings page (hamburger menu at the top right, then click on settings).
Note: Partners will always be able to manually isolate endpoints, regardless of exclusions.
Self Managed Isolation
At any time, partners can isolate and release endpoints from the Endpoint Overview Page.
Endpoint Isolation Scenario
Ransomware is spreading through a Partners network
What actions does Huntress take?
1. An Incident Report is automatically opened due to a tripped ransomware canary.
2. The report is immediately reviewed by a SOC analyst to ensure it is not a false positive (the Huntress SOC is staffed 24/7).
3. The report is sent ASAP and the endpoint is isolated on send.
Resolving Incidents and Releasing Isolated Endpoints:
For an incident to be resolved and the endpoint to be released automatically, the Huntress Portal will need verification that a reboot occurred.
Whenever an endpoint is isolated due to an active incident, a reboot Assisted Remediation step is included in the remediation plan. The reboot can be run automatically via Assisted Remediations or manually.
Learn more about releasing an endpoint from isolation after an incident:
- Manual Remediation: Manually Remediate Active Incidents
- Assisted Remediation here: Using Assisted Remediation
How does Huntress isolate endpoints?
Huntress uses Windows Filtering Platform or Windows Group Policy (GPO) as a fallback mechanism to manage the firewall on the endpoint. The rules applied by Huntress block all inbound and outbound network connections unless the connection is destined for a Huntress service (the Huntress agent + updater) or other essential services (DNS + DHCP). Learn more about how we isolate here: How is Endpoint Isolation Applied for Windows?
DNS fallback for isolated endpoints
In the case of a major security incident, it may be necessary for Huntress to isolate compromised domain controllers to contain a threat. In many organizations, this will result in endpoints losing DNS access, which prevents the Huntress agent from communicating with Huntress at a key time. To address this, our agent will fall back to a public DNS server (1.1.1.1) in the case that local DNS is unavailable. This ensures that our SOC can continue to access endpoints to investigate, isolate, or release them. Thus any site which has Endpoint Isolation enabled and the DC is a DNS server should allow outbound communication to 1.1.1.1:53/udp. See this article on Required Firewall Settings for the Huntress Agents (Port Exclusion and Allow List) for the full list of IP's the Huntress agent uses.
Supported Agent Versions & Operating Systems
Endpoint Isolation is supported on Huntress Agent Version 0.13.4 and higher. If an endpoint is running an older agent version it not eligible for Self Managed or Huntress Managed Endpoint Isolation. See a list of all of our supported operating systems here: Supported Operating Systems / System Requirements / Compatibility
Configurations to Watch Out For
The following network/endpoint configurations could cause endpoint isolation to fail:
-
- Huntress does not recommend isolating an endpoint with multiple endpoint isolation solutions at the same time. Unforeseen connectivity issues may arise. (i.e isolating with Sentinel One AND Huntress)
- Computers that require VPN connectivity for internet access (always-on VPNs).
- Computers that must connect out through a proxy server. In general Huntress does not work with proxies. See more in this article Deep Packet Inspection / TLS/SSL Interception / Cert Pinning.
-
If a network's DC is also the DNS resolver for that network and the DC is isolated; Huntress will not be able to communicate with any of the endpoints within that network.
- If a network's Domain Controller (DC) is isolated and there is no backup DC, then the other endpoints in that network cannot be isolated by Huntress.
- If there is any configuration is blocking 1.1.1.1:53/udp our backup DNS will fail.