Network Isolation of Compromised Systems

Actions

1. 1

   Initiate EDR network containment on the compromised host (CrowdStrike: `falconctl -s --cid | containment enable`, Defender: Isolate device from MDE portal or via API `POST /api/machines/{id}/isolate`).

2. 2

   If EDR containment is not available, implement switch-port isolation: move the host VLAN to a quarantine VLAN with no routes except to the forensic workstation. Document the original VLAN assignment.

3. 3

   Deploy firewall rules to block the host IP from all outbound communication except the forensic subnet: `iptables -I FORWARD -s <compromised_ip> -j DROP` or equivalent on your perimeter firewall.

4. 4

   Verify isolation is effective: from a separate host, attempt to ping, SSH, and reach SMB (445) on the isolated host. Confirm all connections are refused or timed out.

5. 5

   For ransomware: immediately block all SMB (445/tcp) and RDP (3389/tcp) traffic between segments to prevent encryption spread. Use firewall rules: `deny tcp any any eq 445` and `deny tcp any any eq 3389` on inter-VLAN ACLs.

Queries

DeviceNetworkEvents | where DeviceName == "COMPROMISED_HOST" | where Timestamp > ago(1h) | summarize ConnectionCount=count() by RemoteIP, RemotePort, ActionType | order by ConnectionCount desc

index=firewall sourcetype=paloalto_traffic src_ip=COMPROMISED_IP action=allowed | stats count by dest_ip, dest_port, app | sort -count | head 50

index=network sourcetype=cisco:asa src_ip=COMPROMISED_IP OR dst_ip=COMPROMISED_IP | timechart span=5m count by action

index=firewall src_ip=COMPROMISED_IP OR dest_ip=COMPROMISED_IP action=allowed earliest=-1h | stats count by src_ip, dest_ip, dest_port, action | sort -count | head 20

Notes

Where to Go Next

Related Resources