Sophia Harrison 10.26.2021

Evolving the Hunt: Host Isolation for Smarter Defense

Will you be ready when the next attack happens?

Cyberattacks are the new normal. It’s no longer a question of “if” an attack is going to occur, but “when.” Your ability—or lack thereof—to quickly respond to a malware incident can make or break your business and client relationships. 

To help you overcome this ongoing challenge to your network’s security, we’ve added a Host Isolation feature to The Huntress Security Platform.

Isolating infected hosts buys you invaluable time to plan and implement remediation and recovery actions, thus minimizing or completely stopping the spread of malware within your network. This is an especially powerful tool when an incident occurs outside of normal business hours—a common attack window for hackers and bad agents. 

What Is Host Isolation?

Huntress’ Host Isolation feature provides users with the ability to quickly block incoming and outgoing network activity on infected hosts—significantly reducing the risk of malware spreading across your network.

HostIsolation

The Huntress ThreatOps team determines when a critical incident has occurred, usually defined as the infection of malware that is known to quickly spread (e.g., Emotet, Trickbot, remote access tools [RATs] or ransomware). If an incident meets these criteria (and the account has authorized automated isolation), the following steps are implemented: 

  • Huntress sends an “isolate” task to the agent
  • The host is isolated as soon as the agent processes the isolation task
  • ThreatOps sends a critical incident report to the affected account
  • Remediation steps are implemented, either with assistance from the ThreatOps team or by the account
  • The host remains in isolation until the incident report is resolved
  • Once resolved, a release task is sent to the agent to restore network connectivity

However, you can also opt for manual isolation. You might want to consider manual isolation under these circumstances:

  • A critical incident poses a serious risk to business continuity, and you want the ability to choose when to isolate the infected host
  • You use another security product that identified a threat, but it lacks network isolation functionality—so you want to manually enable Huntress’ Host Isolation feature

HostIsolation2

You can also exclude entire organizations or specific hosts from isolation events. Host Isolation is designed to accommodate your specific business security needs.

How Does Huntress Isolate a Host?

Huntress uses Windows Group Policy (GPO) to manage the host firewall. The GPO rules applied by Huntress block all inbound and outbound network connections unless the traffic is destined for Huntress service (i.e. the agent or adapter) or similarly essential services. 

How Long Does It Take for a Host to Be Isolated?

Huntress agents check into the portal every 15 minutes to receive new tasks, at which time any isolation or release from isolation tasks execute. As a result, there’s a lag between when these tasks occur and when they are reflected on the host overview page. However, once isolated, the agent will check in every five minutes to expedite tasking during incident response.

To learn more about Host Isolation, visit our support page or watch our on-demand webinar where we discuss this new feature.

avatar

Sophia Harrison

Polymath. Globe trekker. Product Marketing Manager at Huntress.