I was thinking to use Host Quarantine (manual only, not based on attack trigger) for the following use cases: Malware infection, System compromise, remote forensics
The idea is to manually quarantine internal hosts when a malware outbreak is detected or if the system has been compromised and forensics need to investigate. The thing is, Host Quarantine rules only allow the rule to use 'destination IP/network'. This means that if I allow ssh to a jumpbox the forensics will use, the connection has to be from the compromised system to the jumpbox. So anything I allow on the rules will only allow it 'outbound' from the infected/compromised system. Do you see the challenge here? I would like to grant inbound rules to the target host... and tt seems host quarantine is not the ideal feature for these use cases.
I was wondering if anyone on the field has implemented host quarantine in a similar way? Or if you guys have any ideas on how we could achieve the quarantine of internal hosts for forensics/analysis after an incident...
Thoughts? New PER??
So no feedback whatsoever on this one....
Is anyone using the quarantine option on NSP?
If yes, how?
If no, why?