How to Network Contain an Endpoint with Falcon Endpoint Protection
Introduction
This document and accompanying video will demonstrate how to network contain (quarantine) an endpoint with Falcon Endpoint Protection. When systems are contained, they will lose the ability to make network connections to anything other than the CrowdStrike cloud infrastructure and any internal IP addresses that have been specified in the Respond App.
Video
Prerequisites
A Windows 7 SP1 or higher system with the Falcon sensor installed.
Identify and contain a compromised system
In the Falcon UI, navigate to the Detections App. Often times, network containment is necessary when a system appears infected and lateral movement, persistence and exfiltration want to be prevented, among other risks.
In our Activity App, we see a system that has multiple detections in a short amount of time, and it can quickly be ascertained that action should be taken. To get more detail, select any of the lines where an alert is indicated. Doing so will provide more details and allow you to take immediate action.
After drilling into the alert, we can see multiple detection patterns, including known malware, credential theft and web exploit. Drilling into the process tree, we can see that reconnaissance was performed and credential theft occured, possibly in an attempt for lateral movement.
To prevent this movement and contain this system from the network, select the “Network Contain this machine” option near the top of the page.
Selecting the “Network Contain” will open a dialogue box with a summary of the changes you are about to make and an area to add comments.
After information is entered, select Confirm. The dialogue box will close and take you back to the previous detections window. To verify that the host has been contained select the hosts icon next to the Network Contain button.
The Hosts app will open to verify that the host is either in progress or has been contained. Containment should be complete within a few seconds. If containment is pending the system may currently be off line.
Removing a system from Network Contain
After investigation and remediation of the potential threat, it is easy to bring the device back online. Since a connection between the Falcon Sensor and the Cloud are still permitted, “un-contain” is accomplished through the Falcon UI.
In the UI, navigate to the Hosts app. Locate the contained host or filter hosts based on “Contained” at the top of the screen. Once the host is selected you’ll see that the status is contained (see previous screenshot) and click on the “Status: Contained” button.
Make any comments and select “Confirm”. The previous status will change from “Lift Containment Pending” to “Normal” (a refresh may be required). Again if the change doesn’t happen within a few seconds the host may be off line.
Conclusion
Network containment is a fast and powerful tool that is designed to give the security admin the power needed to identify threats and stop them. For more information on Falcon, see the additional resources and links below.