How to Network Contain an Endpoint with Falcon Host Endpoint Protection

Introduction

This document and accompanying video will demonstrate how to network contain (quarantine) an endpoint with Falcon Host Endpoint Protection. When systems are contained, they will lose the ability to make network connections to anything other than the CrowdStrike cloud infrastructure and any internal IP addresses that have been specified in the Respond App.

Video

Read Video Transcript

Prerequisites

A Windows 7 SP1 or higher system with the Falcon Host sensor installed.

Identify and contain a compromised system

In the Falcon host UI, navigate to the Detections App. Often times, network containment is necessary when a system appears infected and lateral movement, persistence and exfiltration want to be prevented, among other risks.

In our Activity App, we see a system that has multiple detections in a short amount of time, and it can quickly be ascertained that action should be taken. To get more detail, select any of the lines where an alert is indicated. Doing so will provide more details and allow you to take immediate action.

infected-host

After drilling into the alert, we can see multiple detection patterns, including known malware, credential theft and web exploit. Drilling into the process tree, we can see that reconnaissance was performed and credential theft occured, possibly in an attempt for lateral movement.

host-activity-and-network-contain

To prevent this movement and contain this system from the network, select the “Network Contain this machine” option near the top of the page.

Selecting the “Network Contain” will open a dialogue box with a summary of the changes you are about to make and an area to add comments.

contain-status

After information is entered, select Confirm. The dialogue box will close and take you back to the previous detections window. To verify that the host has been contained select the hosts icon next to the Network Contain button.

host-button

The Hosts app will open to verify that the host is either in progress or has been contained. Containment should be complete within a few seconds. If containment is pending the system may currently be off line.

Contained host in hosts app

 

Removing a system from Network Contain

After investigation and remediation of the potential threat, it is easy to bring the device back online. Since a connection between the Falcon Host Sensor and the Cloud are still permitted, “un-contain” is accomplished through the Falcon Host UI.

In the UI, navigate to the Hosts app. Locate the contained host or filter hosts based on “Contained” at the top of the screen. Once the host is selected you’ll see that the status is contained (see previous screenshot) and click on the “Status: Contained” button.

uncontain-host-dialogue-box

Make any comments and select “Confirm”. The previous status will change from “Lift Containment Pending” to “Normal” (a refresh may be required). Again if the change doesn’t happen within a few seconds the host may be off line.

 

 

Conclusion

Network containment is a fast and powerful tool that is designed to give the security admin the power needed to identify threats and stop them. For more information on Falcon Host see the additional resources and links below.

More resources

 

 

Stop Breaches with CrowdStrike Falcon request a live demo