Enable host isolation
complete
Patrick Sofo [Security Product Manager]
complete
Huntress Managed Isolation is now Generally Available! Isolation now occurs within seconds of an incident report being sent by ThreatOps and the isolation technology under the hood is much more effective, no longer solely relying on Windows GPO. All accounts that did not explicitly opt out during Beta have been opted into Managed Host Isolation, allowing the Huntress Threat Operations team to manage isolation events on your behalf during malware incidents. Learn more here! https://support.huntress.io/hc/en-us/articles/4404960349459
Over the next year we still have more improvements to add...some of which have been mentioned on this and other threads:
- RMM / custom FW exclusions
- End user/system notifications when a computer is isolated
- Kernel-mode driver based isolation
J
Johnson Lemke
I spoke with Dave @ IT Nation booth about this, but I would love to see a two-step approach.
Example Workflow:
[Phase One]
- Huntress identifies risk worth of Host Isolation (Machine Isolated fully with exception of beacon back to Huntress Dashboard)
- We investigate info provided by Huntress, and decide to either remediate or decide to enter phase two for further investigation/tools capabilities
[Phase Two]
- Toggle an option in Huntress to enable short allow list of communication (things on that list might include RMM, EDR, Remote Support)
- Investigate info provided by our tools in addition to Huntress, and decide to either grab machine for further forensics or wipe, or declare all clear and Disable Host Isolation
C
Corey Costello
Could we also get the option for isolation in general?
Ie, isolate hosts from each other, but allow for domain controller communications, GW, internet?
I really like where Huntress is going and trust the agent, but already being isolated from each other could prevent spread before identification
E
Edward Sirignano
+1 Would love to see customizable allow list when in isolation mode so we can still allow our RMM agent for remote support.
Patrick Sofo [Security Product Manager]
Edward Sirignano: This is on our short list of improvements as we build on top of the Beta offering. Thank you for the feedback!
L
Loida Rosenbaum
Definitely love this idea, and definitely needs to be configurable too so we can allow the tools we need to fix the issue. Also really needed when ransomware canaries are tripped! Waiting on review and alert for those is too slow currently.
Chris Bisnett
in progress
We've been working on a capability to isolate hosts for a few weeks now and it's going really well! This first iteration will allow Huntress to block all other inbound and outbound network traffic while still allowing the Huntress agent to send data and receive tasking.
I can hear the replies already asking if it will be possible to configure additional services that won't be blocked during isolation so that things like RMM and backup agents can still work. This is something we've been considering for a long time and while it won't be part of the first release, we are working on this and it will be a standard part of the Host Isolation feature.
We'll be rolling this out soon behind a feature flag as we start our normal opt-in private beta testing, so if you're interested in helping us test this out and looking to get a little more piece of mind for when Huntress finds some badness, let us know by sending an email to support@huntress.com.
J
Jamal Yundt
This option should also stop general Internet traffic except the know remote control tools, agents RMM management tools. Notify users as well
C
Cameron Granger
Merged in a post:
Option to isolate infected endpoint upon "high" risk alert
C
Corey Costello
Have a checkbox to automatically disable the network card(s) of an impacted computer upon receving a high risk.
- instead of disabling network cards, perhaps enable a whitelist that denies all traffic locally and allows to a specific IP you allow remote remediation. IE, stop the virus from spreading locally but still allow you to remediate remotely via agent