Team Huntress 10.26.2021 2 min read

Evolving the Hunt: Host Isolation for Smarter Defense

Will you be ready when the next attack happens?

Cyberattacks are the new normal. It’s no longer a question of “if” an attack is going to occur, but “when.” Your ability—or lack thereof—to quickly respond to a malware incident can make or break your business and client relationships. 

To help you overcome this ongoing challenge to your network’s security, we’ve added a Host Isolation feature to The Huntress Security Platform.

Isolating infected hosts buys you invaluable time to plan and implement remediation and recovery actions, thus minimizing or completely stopping the spread of malware within your network. This is an especially powerful tool when an incident occurs outside of normal business hours—a common attack window for hackers and bad agents. 

What Is Host Isolation?

Huntress’ Host Isolation feature provides users with the ability to quickly block incoming and outgoing network activity on infected hosts—significantly reducing the risk of malware spreading across your network.

HostIsolation

But what is Huntress-Managed Host Isolation?

The Huntress ThreatOps team determines when a ‘Host-Isolation’-worthy incident has occurred, usually defined as the infection of malware that is known to quickly spread (e.g., Emotet, Trickbot, etc.). If an incident meets this criterion (and the account has enabled ‘Huntress-Managed’ Host Isolation), the following steps are implemented: 

  • ThreatOps sends an incident report to the affected account, which triggers an isolation event for the associated Huntress managed host
  • The host is isolated as soon as the agent on the host processes the isolation task—which takes just seconds due to recent upgrades to our agent
  • Network connectivity checks are conducted to verify that the host is isolated
  • The account administrator can approve the provided Assisted Remediation steps associated with the incident report or manually remediate the incident
  • The host remains in isolation until the incident report is resolved
  • Once resolved, a release task is sent to the agent to restore network connectivity

Huntress ‘self-managed’ Host Isolation is also available from the Host Overview page. Here are some scenarios when you might want to manually isolate a host:

  • You have a host excluded from 'Huntress-Managed' Host Isolation due to certain business continuity concerns, but you now have decided that the risk posed by an ongoing incident is significant enough to isolate the computer. 
  • You use another security product that identified a threat, but it lacks network isolation functionality—so you leverage ‘self-managed’ Host Isolation via the Huntress portal. 

Account administrators can exclude entire organizations or specific hosts from ‘Huntress Managed Host Isolation’ events. The feature is designed to accommodate your specific business security needs.

image2-1

How Does Huntress Isolate a Host?

Host Isolation beta relied solely on Local Windows Group Policy (GPO). GPO-based isolation has limitations when hosts are not connected to their domain controller or for networks that utilize Domain-level GPO policy that can override Local GPO. 

The new and improved Huntress Host Isolation solution leverages the Windows Filtering Platform to manage the host firewall with a higher degree of efficacy. The rules applied by Huntress block all inbound and outbound network connections unless the traffic is destined for a Huntress service such as the agent or another essential service. 

How Long Does It Take for a Host to Be Isolated?

Host Isolation is triggered after a Huntress ThreatOps Analyst sends an incident report for an isolation-worthy incident or a partner manually clicks “Isolate Host” from the host overview page. These actions will send an isolation task to the host, and it will be processed within seconds if the host is online.

To learn more about Host Isolation, visit our support page.