Isolate Endpoints from Network CM0065
Isolate Endpoints from Network (CM0065)
In PlaybookDetails
- ID: CM0065
- Version: 1.0
- Created: 14 March 2025
- Modified: 14 March 2025
- Type: Disable
- Status: Active
Intended Outcome
Isolating an endpoint from the network blocks adversary initial access, lateral movement, and command and control to and from the host on a network.Introduction
An endpoint is any physical or virtual device or node on a network which is the ultimate destination of communications encompassing laptops, desktops, workstations, smartphones, servers, IoT devices, virtual machines, and other computing devices linked within an enterprise environment. Adversaries that compromise an endpoint can perform a range of techniques to accomplish their objectives. By isolating a compromised endpoint, responders will be able to contain an incident by preventing the threat from issuing C2 commands and/or moving laterally across a network. Endpoint isolation can further disrupt or otherwise limit additional network-centric activities ranging from discovery, collection, and exfiltration - although automated actions that do not require realtime communication with the adversary may still occur.Preparation
- Ensure plans, procedures, and authorities are in place to enable rapid containment of compromised endpoints.
- This countermeasure requires effective asset management and assumes use of endpoint management software or endpoint detection and response (EDR).
- Having backups or redundant devices available to replace the compromised endpoint will mitigate the likelihood of operational interruption.
Risks
- Isolating critical endpoints may disrupt important business operations. Responders should factor in potential operational impacts into their decision-making process.
Guidance
Software solutions (e.g. CrowdStrike, Defender for Endpoint, SentinalOne, etc.) may be used to quickly segregate endpoints from the rest of the network. Alternatly, teams may configure endpoint solutions to automatically isolate devices via workflows or playbooks under circumstances that warrant immediate containment. In some cases, system administrators may want to consider either logically segregating virtual separation or physical disconnection from the network.While the steps to perform endpoint isolation vary depending on the circumstances of the incident, the characteristics of the network, and the options available to the organization, the following general steps are as follow:- Identify compromised endpoint(s)
- Understand the compromised endpoint(s) purpose to assess the potential for operational impact
- Identify the type of endpoint (mobile device, workstation, server, etc.)
- Determine the endpoint's function (desktop, web server, application server, etc.)
- Identify to whom the endpoint is assigned and the individual's role (business function, administrator, c-suite/leadership, etc.)
- Isolate the endpoint(s) from the network
- As part of isolation, responders may freeze system processes and prevent user interaction and perform a forensic capture of the device.
- Investigate and eradicate the threat
- Prioritize recovery according to endpoint criticality
- Redeploy in a phased approach
- Monitor restored endpoints for persistent malicious activity
References
- IR in focus: Isolating & containing a confirmed threat | https://redcanary.com/blog/incident-response/ir-containment-isolation/
- Endpoint Isolation | https://thewatchman.pro/endpoint-isolation/
- ID: CM0065
- Version: 1.0
- Created: 13 March 2025
- Modified: 13 March 2025
- Type: Disable