1 Reply Latest reply on Jul 7, 2017 1:37 PM by d_aloy

    NSP - Host Quarantine for internal systems - forensics/analysis


      Hi all


      I was thinking to use Host Quarantine (manual only, not based on attack trigger) for the following use cases: Malware infection, System compromise, remote forensics


      The idea is to manually quarantine internal hosts when a malware outbreak is detected or if the system has been compromised and forensics need to investigate. The thing is, Host Quarantine rules only allow the rule to use 'destination IP/network'. This means that if I allow ssh to a jumpbox the forensics will use, the connection has to be from the compromised system to the jumpbox. So anything I allow on the rules will only allow it 'outbound' from the infected/compromised system. Do you see the challenge here? I would like to grant inbound rules to the target host... and tt seems host quarantine is not the ideal feature for these use cases.


      I was wondering if anyone on the field has implemented host quarantine in a similar way? Or if you guys have any ideas on how we could achieve the quarantine of internal hosts for forensics/analysis after an incident...


      Thoughts? New PER??