Microsoft Defender for Endpoint now uses automatic attack disruption to isolate compromised user accounts and block lateral movement in hands-on-keyboard attacks with the help of a new ‘contain user’ capability in public preview.
In such incidents, like those involving human-operated ransomware, threat actors infiltrate networks, move laterally after escalating privileges via stolen accounts, and deploy malicious payloads.
According to Microsoft, Defender for Endpoint now prevents attackers’ lateral movement attempts within victims’ on-premises or cloud IT infrastructure by temporarily isolating the compromised user accounts (aka suspicious identities) they might exploit to achieve their objectives.
“Attack disruption achieves this outcome by containing compromised users across all devices to outmaneuver attackers before they have the chance to act maliciously, such as using accounts to move laterally, performing credential theft, data exfiltration, and encrypting remotely,” said Rob Lefferts, Corporate Vice President for Microsoft 365 Security.
“This on-by-default capability will identify if the compromised user has any associated activity with any other endpoint and immediately cut off all inbound and outbound communication, essentially containing them.”
According to Microsoft, when the initial stages of a human-operated attack are detected on an endpoint using signals from various Microsoft 365 Defender workloads (including identities, endpoints, email, and SaaS apps), the automated attack disruption feature will block the attack on that device.
Simultaneously, Defender for Endpoint will also “innoculate” all other devices within the organization by blocking incoming malicious traffic, leaving the attackers with no further targets.
“When an identity is contained, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic in specific protocols related to attacks (network logons, RPC, SMB, RDP) while enabling legitimate traffic,” Redmond explains in a support document.
“This action can significantly help to reduce the impact of an attack. When an identity is contained, security operations analysts have extra time to locate, identify and remediate the threat to the compromised identity.”
Microsoft added automatic attack disruption to its Microsoft 365 Defender XDR (Extended Detection and Response) solution in November 2022 during its annual Microsoft Ignite conference for developers and IT professionals.
The capability helps contain in-progress attacks and isolate affected assets automatically by limiting lateral movement across compromised networks.
“Since August 2023, more than 6,500 devices have been spared encryption from ransomware campaigns executed by hacker groups including BlackByte and Akira, and even red teams for hire,” according to Microsoft’s internal data.
Defender for Endpoint is also capable of isolating hacked and unmanaged Windows devices since June 2022, stopping malicious actors from moving laterally through victims’ networks by blocking all communication to and from the compromised devices.