Team: Huntress EDR
Product: Host Isolation
Environment: Huntress Platform
Summary: How Host Isolation is determined by our system, along with how to create exclusions and manually isolate the host.
The Huntress Security Operations Center (SOC) determines when a "isolation worthy" incident has occurred, usually defined as the infection of malware that is known to quickly spread (e.g., Emotet, Trickbot etc.). Often these are Critical severity incidents, but not all Critical severity incidents warrant host isolation. The host will be isolated from the organization’s network, only allowing connectivity between Huntress.io (our portal) and the isolated computer.
Host isolation will take effect after a Huntress SOC Analyst sends the incident report for the infected host. Hosts will be "released" from isolation when the incident report is resolved*. At any time, account administrators can manually release a host from isolation by using Self Managed Isolation. Admins will also be able to manually isolate hosts, although Huntress strives to do this for partners when we are 100% sure of an active threat.
Note: All accounts are opted into Huntress Managed Host Isolation by default
With Huntress Agent version 0.13.192+
When the portal isolates a host or if additional IP-blocking rules are added to the host, they only exist for as long as the Huntress Agent is running. If the agent is shutdown, isolation and blocking will go away. When a host is rebooted, and no release task has been sent, the host will eventually (within a few minutes) re-apply the isolation and IP-blocking rules.
For releasing a host, you can now simply shut the service down. If that's not possible, you can remove the following files, and restart the host.
[HuntressInstallationDirectory]\huntress-isolation-rule-file
[HuntressInstallationDirectory]\huntress-ip-blocking-rule-file
Benefits of Huntress Managed Host Isolation
- Malware can quickly spread through an organization's network and MSP technicians are not always online to respond to attacks.
- Leveraging Huntress's 24 x 7 SOC to manage isolation of attacks can buy your organization invaluable time when determining and implementing remediation actions.
When do we isolate?
If authorized in Account Settings, Huntress's SOC will assess the need for Host Isolation based on the potential impact of the cyber attack. If deemed necessary, the host will be isolated once a Huntress SOC Analyst sends the incident report to the partner.
Examples:
- Ransomware events
- Emotet
- Trickbot
- Cobalt Strike
Opting Into Managed Host Isolation
By default, all accounts are opted into Huntress Managed Host Isolation.
When Managed Isolation is enabled at the account level within Account Settings, the Huntress SOC is authorized to restrict network connectivity of infected hosts at their discretion during malware incidents. Hosts that are not explicitly excluded in Isolation Exclusion Settings will be eligible for network isolation.
Disabling Huntress Managed Host Isolation will prevent Huntress SOC Analysts from isolating malware incidents on infected hosts within your account.
** This is not recommended **
If you have a specific host or organization that you never want isolated, we recommend using Host Isolation Exclusions.
Isolation Exclusion Settings
Account administrators can exclude entire organizations or individual hosts from Managed Host Isolation. Exclusions should be used sparingly since excluded hosts are not eligible for isolation. If malware is detected on an excluded host, Huntress will not be authorized to restrict the host’s network connectivity.
You can access Host Isolation Exclusions by scrolling to the bottom of your account settings page (hamburger menu at the top right, then click on settings).
Note: Partners will always be able to manually isolate hosts, regardless of exclusions.
Self Managed Isolation
At any time, partners can isolate and release hosts from the Host Overview Page.
Host Isolation Scenario
Ransomware is spreading through a Partners network
What actions does Huntress take?
1. An Incident Report is automatically opened due to a tripped ransomware canary.
2. The report is immediately reviewed by a SOC analyst to ensure it is not a false positive (the Huntress SOC is staffed 24/7).
3. The report is sent ASAP and the host is isolated on send.
Resolving Incidents and Releasing Isolated Hosts:
For an incident to be resolved and the host to be released automatically, the Huntress Portal will need verification that a reboot occurred.
Whenever a host is isolated due to an active incident, a reboot Assisted Remediation step is included in the remediation plan. The reboot can be run automatically via Assisted Remediations or manually.
Learn more about releasing a host from isolation after an incident:
- Manual Remediation: Manual Remediation for Active Incidents
- Assisted Remediation here: Using Assisted Remediation
How does Huntress isolate hosts?
Huntress uses Windows Filtering Platform or Windows Group Policy (GPO) as a fallback mechanism to manage the host firewall. The rules applied by Huntress block all inbound and outbound network connections unless the connection is destined for a Huntress service (the Huntress agent + updater) or other essential services (DNS + DHCP). Learn more about how we isolate here: Host Isolation - How Huntress Isolates
DNS fallback for isolated endpoints
In the case of a major security incident, it may be necessary for Huntress to isolate compromised domain controllers to contain a threat. In many organizations, this will result in endpoints losing DNS access, which prevents the Huntress agent from communicating with Huntress at a key time. To address this, our agent will fall back to a public DNS server (1.1.1.1) in the case that local DNS is unavailable. This ensures that our SOC can continue to access endpoints to investigate, isolate, or release them. Thus any site which has Host Isolation enabled and the DC is a DNS server should allow outbound communication to 1.1.1.1:53/udp. See this article on Required Firewall Settings for the full list of IP's the Huntress agent uses.
Supported Agent Versions & Operating Systems
Host Isolation is supported on Huntress Agent Version 0.13.4 and higher. If a host is running an older agent version it not eligible for Self Managed or Huntress Managed host isolation. See a list of all of our supported operating systems here: Supported Operating Systems / System Requirements
Configurations to Watch Out For
The following network/host configurations could cause host isolation to fail:
-
- Huntress does not recommend isolating a host with multiple host isolation solutions at the same time. Unforeseen connectivity issues may arise. (i.e isolating with Sentinel One AND Huntress)
- Computers that require VPN connectivity for internet access (always-on VPNs).
- Computers that must connect out through a proxy server. In general Huntress does not work with proxies. See more info here!
-
If a network's DC is also the DNS resolver for that network and the DC is isolated; Huntress will not be able to communicate with any of the hosts within that network.
- If a network's Domain Controller (DC) is isolated and there is no backup DC, then the other hosts in that network will not be isolatable by Huntress.
- If there is any configuration is blocking 1.1.1.1:53/udp our backup DNS will fail.
Comments
0 comments
Please sign in to leave a comment.