Home > SOC Analysis

Isolation Techniques

Endpoint and network isolation stops an active threat from spreading, communicating with its command-and-control server, or causing further damage.
Isolation is one of the fastest and most effective actions in incident response because it cuts the attacker off instantly while preserving the system for investigation.

This chapter explains isolation in full-length SOC depth, covering endpoint, network, identity, cloud, and workload isolation methods along with practical commands and workflows.

Purpose of Isolation

Isolation aims to:

  • Stop lateral movement

  • Cut off outbound C2 communication

  • Prevent data exfiltration

  • Stop malware propagation

  • Protect critical assets

  • Preserve volatile evidence for forensics

  • Gain control of compromised environments

The goal is not to clean yet, but to contain and freeze the threat.

When Isolation Is Triggered

SOC analysts isolate when they see:

  • Known malware execution

  • Confirmed C2 beaconing

  • Credential dumping

  • Fileless malware behavior

  • Lateral movement attempts

  • Ransomware indicators

  • Privileged account compromise

  • Multiple high-severity correlated alerts

Isolation is used when the risk of continued activity outweighs the impact of taking a system offline.

Isolation Methods (SOC-Level Breakdown)

Isolation happens at multiple layers depending on the attacker’s behavior.

Endpoint Isolation

Endpoint isolation disconnects the infected system from the network but keeps it powered on.

Most EDR platforms support one-click isolation:

  • CrowdStrike “Network Containment”

  • SentinelOne “Network Quarantine”

  • Defender for Endpoint “Device Isolation”

  • Carbon Black “Isolate Endpoint”

Isolation actions include:

  • Blocking all inbound/outbound traffic

  • Allowing secure channel communication only with the EDR console

  • Preventing SMB, RDP, HTTP, DNS, and ICMP

EDR-based isolation is the fastest and safest method.

Network Isolation (Switch/Firewall Level)

Used when:

  • Endpoint has no EDR

  • EDR failed to isolate

  • Malware is attacking network services

Techniques

Port Shutdown (Switch CLI Example)

interface GigabitEthernet0/12
shutdown

MAC-Based Blocking

mac-address-table static <MAC> vlan <ID> drop

Firewall Rules

Block system by:

  • IP address

  • MAC address

  • VLAN assignment

Example (Linux firewall):

iptables -A INPUT -s <ip> -j DROP
iptables -A OUTPUT -s <ip> -j DROP

VLAN Isolation

Move compromised host to a restricted VLAN:

  • No internet access

  • No internal access

  • Only SOC tools access allowed

Application-Level Isolation

Used for compromised accounts or application-level abuse.

Techniques:

  • Disable session tokens

  • Terminate active sessions

  • Revoke OAuth tokens

  • Block application API keys

  • Lock or disable user accounts temporarily

Example (Azure AD):

Revoke-AzureADUserAllRefreshToken -ObjectId <user>

Identity Isolation (Account Containment)

If attacker is using stolen credentials, isolate the identity, not just the endpoint.

Actions:

  • Force password reset

  • Disable the compromised account

  • Remove from privileged groups

  • Block external login attempts

  • Terminate login sessions

Example (Windows AD):

net user username /active:no

Server Isolation (Critical Infrastructure)

Used for domain controllers, file servers, mail servers, or Linux systems.

Linux Isolation (Network Lockdown)

ifconfig eth0 down

or

nmcli connection down eth0

Windows Server Isolation

netsh advfirewall set allprofiles state on
netsh advfirewall firewall add rule name="Block All" dir=out action=block

Cloud Workload Isolation

Used when cloud VMs or containers show malicious activity.

AWS Isolation Techniques

  • Move EC2 to isolated security group

  • Remove public IP

  • Disable IAM instance profiles

  • Block outbound traffic

Example (AWS CLI):

aws ec2 modify-instance-attribute --instance-id i-12345678 --groups sg-isolation

Azure Isolation Techniques

  • Remove NSG outbound rules

  • Reassign NIC to quarantine subnet

  • Enable Just-In-Time lock

Container and Kubernetes Isolation

Steps:

  • Isolate pod to quarantine namespace

  • Block pod’s outbound traffic

  • Disable service account tokens

  • Stop container but preserve state (if needed)

Example (Kubernetes):

kubectl cordon <node>
kubectl taint node <node> quarantine=true:NoSchedule

Email Isolation (Phishing Incidents)

When malicious emails circulate:

  • Block domain sender

  • Quarantine emails in all inboxes

  • Revoke malicious email attachments

  • Remove email from mail flow

Microsoft 365 example:

New-ComplianceSearchAction -SearchName "PhishSweep" -Purge

SOC Isolation Workflow

A consistent workflow ensures no mistakes and preserves forensic artifacts.

Step 1 — Confirm malicious behavior

Validate with SIEM, EDR, threat intel.

Step 2 — Determine isolation type

Endpoint, user, network, cloud, or application.

Step 3 — Execute isolation

Using EDR, firewall, or cloud platform.

Step 4 — Validate isolation

Check:

  • No outbound traffic

  • No inbound communication

  • Host still visible to IR tools

Step 5 — Notify stakeholders

SOC, IR, IT, security leads.

Step 6 — Begin forensic triage

Memory capture, process analysis, detection review.

Step 7 — Continue with remediation

Patching, malware removal, password reset, configuration changes.

Practical Isolation Scenarios

Scenario 1 — Ransomware Execution Detected

Actions:

  • Isolate endpoint via EDR

  • Block compromised user account

  • Disconnect shared drives

  • Begin memory forensics

Scenario 2 — Cobalt Strike Beacon

Actions:

  • Block outbound IP/FQDN

  • Isolate host

  • Dump process memory

  • Search for lateral movement

Scenario 3 — Credential Theft on Server

Actions:

  • Disable privileged account

  • Isolate server NIC

  • Begin LSASS analysis

Scenario 4 — Cloud VM Beaconing Outbound

Actions:

  • Move VM to restricted security group

  • Block outbound internet

  • Capture disk snapshot

Intel Dump

  • Isolation stops attacks instantly by cutting communication and preventing spread.

  • Isolation types include endpoint, network, cloud, identity, application, and container isolation.

  • EDR isolation is fastest: blocks all traffic except to SOC tools.

  • Network isolation uses switch shutdowns, firewall blocks, and VLAN changes.

  • Identity isolation stops credential-based intrusions.

  • Cloud isolation uses security groups, subnets, and token revocation.

  • Isolation is followed by forensic triage and full remediation.

HOME LEARN COMMUNITY DASHBOARD