ĢTV

This is some text inside of a div block.
Glitch effect

Evolving the Hunt: Host Isolation for Smarter Defense

Contributors:
Special thanks to our Contributors:
Glitch effectGlitch effectGlitch effect
Glitch banner

Will you be ready when the next attack happens?

Cyberattacks are the new normal. It’s no longer a question of “if” an attack is going to occur, but “when.” Your ability—or lack thereof—to quickly respond to a malware incident can make or break your business and client relationships. 

To help you overcome this ongoing challenge to your network’s security, we’ve added a Host Isolation feature to The ĢTV Security Platform.

Isolating infected hosts buys you invaluable time to plan and implement remediation and recovery actions, thus minimizing or completely stopping the spread of malware within your network. This is an especially powerful tool when an incident occurs outside of normal business hours—a common attack window for hackers and bad agents. 

What Is Host Isolation?

ĢTV’ Host Isolation feature provides users with the ability to quickly block incoming and outgoing network activity on infected hosts—significantly reducing the risk of malware spreading across your network.

HostIsolation

But what is ĢTV-[.underline]Managed[.underline] Host Isolation?

The ĢTV ThreatOps team determines when a ‘Host-Isolation’-worthy incident has occurred, usually defined as the infection of malware that is known to quickly spread (e.g., Emotet, Trickbot, etc.). If an incident meets this criterion (and the account has enabled ‘ĢTV-Managed’ Host Isolation), the following steps are implemented: 

  • ThreatOps sends an incident report to the affected account, which triggers an isolation event for the associated ĢTV managed host
  • The host is isolated as soon as the agent on the host processes the isolation task—which takes just seconds due to
  • Network connectivity checks are conducted to verify that the host is isolated
  • The account administrator can approve the provided steps associated with the incident report or manually remediate the incident
  • The host remains in isolation until the incident report is resolved
  • Once resolved, a release task is sent to the agent to restore network connectivity

ĢTV ‘self-managed’ Host Isolation is also available from the Host Overview page. Here are some scenarios when you might want to manually isolate a host:

  • You have a host excluded from 'ĢTV-Managed' Host Isolation due to certain business continuity concerns, but you now have decided that the risk posed by an ongoing incident is significant enough to isolate the computer. 
  • You use another security product that identified a threat, but it lacks network isolation functionality—so you leverage ‘self-managed’ Host Isolation via the ĢTV portal. 

Account administrators can exclude entire organizations or specific hosts from ‘ĢTV Managed Host Isolation’ events. The feature is designed to accommodate your specific business security needs.

image2-1

How Does ĢTV Isolate a Host?

Host Isolation beta relied solely on Local Windows Group Policy (GPO). GPO-based isolation has limitations when hosts are not connected to their domain controller or for networks that utilize Domain-level GPO policy that can override Local GPO. 

The new and improved ĢTV Host Isolation solution leverages the Windows Filtering Platform to manage the host firewall with a higher degree of efficacy. The rules applied by ĢTV block all inbound and outbound network connections unless the traffic is destined for a ĢTV service such as the agent or another essential service. 

How Long Does It Take for a Host to Be Isolated?

Host Isolation is triggered after a ĢTV ThreatOps Analyst sends an incident report for an isolation-worthy incident or a partner manually clicks “Isolate Host” from the host overview page. These actions will send an isolation task to the host, and it will be processed within seconds if the host is online.

To learn more about Host Isolation, visit our .

Share

Sign Up for Blog Updates

Subscribe today and you’ll be the first to know when new content hits the blog.

By submitting this form, you accept our Privacy Policy
Oops! Something went wrong while submitting the form.
ĢTV at work
Cybersecurity Education
Cybersecurity Education
ĢTV News
ĢTV News