Description of Response Tools

Isolate Computer

Cytomic Orion enables you to isolate computers on demand to prevent the spread of threats and to block the exfiltration of confidential data.

When you isolate a computer, the solution blocks all communications, except for those it requires:

  • Access to the computer from the analysis console so the incident response team can resolve possible problems with the tools provided by Cytomic Orion.

  • Communications required by the Cytomic EDR and Cytomic EPDR security products to work correctly.

All other products and services installed on the affected workstation or server cannot communicate through the Internet/network.

To isolate a computer, select Isolate computer in the context menu associated with the relevant entity of interest.

Computer Isolation Statuses

The Isolate computer and Stop isolating computer operations are performed in real time. However, they might be delayed if the target computer is offline. To show the exact situation of a computer, Cytomic Orion distinguishes among four different isolation statuses through these icons:

  • Isolating : The analyst launched a request to isolate one or more computers and the request is being processed.

  • Isolated : The isolation process has completed and the computer communications are restricted.

  • Stopping isolation : The analyst launched a request to stop isolating one or more computers and the request is being processed.

  • Not isolated: The process to stop isolating a computer has completed. The computer is allowed to communicate with other computers based on the settings configured in other products or in the operating system.

These icons also appear next to the computers shown in the Entities of interest sub-panel of an investigation.

Allowed Communications on an Isolated Computer

Cytomic Orion denies all communications to and from isolated computers except those required to perform remote forensic analysis and to use the response tools. These sections list the allowed and blocked communications.

Allowed processes and services:

System Processes:

  • All services required for the computer to be part of the corporate network: DHCP services to obtain IP addresses, ARP, WINS and DNS host name resolution services, etc.

Cytomic Orion Processes:

  • Services required to communicate with the default gateway.

  • Services required to communicate with the Cytomic cloud in order to send the information collected from the monitoring of processes, and enable administrators to perform remote management tasks in the web console.

Cytomic EDR:

  • Services required to communicate with the default gateway.

  • Services required to communicate with the Cytomic cloud in order to allow the protection engines to work, download signature files, and enable administrators to perform remote management tasks in the web console.

  • Services required to communicate with the Cytomic cloud for the correct operation of the modules compatible with Cytomic EDR (Cytomic Patch, Cytomic Encryption, Cytomic Data Watch).

  • Services required by an isolated machine with the discovery computer role to perform discovery tasks.

  • Services required by an isolated machine with the cache role to act as a file server.

  • Services required by a machine with the Cytomic proxy role assigned to act as a connection proxy.

Blocked Communications on an Isolated Computer

All communications that are not listed in the section above are denied. This includes:

  • Connection to the operating system's Windows Update service.

The Cytomic Patch module remains operational on isolated computers.

  • Web browsing, FTP, mail, and other Internet protocols.

  • SMB file transfer between PCs on the network.

  • Remote installation of the Cytomic EDR security product.