One of the biggest challenges IT teams face today is identifying when a legitimate user’s account is compromised and preventing it from being used to deploy malware or steal data. With the latest update of Defender for Endpoint, Microsoft wants to help solve that problem.
Currently in public preview, Microsoft Defender for Endpoint includes a new tool called “contain user” that does exactly what it says on the tin: contains a potentially problematic user.
If the tool detects that a user account is behaving ‘suspiciously’, DoE steps in to lock all doors around it, cutting it off from other endpoints and resources. This way, Microsoft hopes, DoE will stop the threat actor before it can do any more damage (for example, by deploying ransomware).
Blocks all traffic
“Attack Disruption achieves this result by stopping compromised users across all devices to outsmart attackers before they have a chance to act maliciously, such as using accounts to move laterally, stealing credentials, exfiltrating data, and encrypt it remotely,” said Rob Lefferts, Corporate Vice President for Microsoft 365 Security in a blog post.
“Enabled by default, this ability identifies if the affected user has any activity with another endpoint and immediately disconnects all incoming and outgoing communications, essentially containing it.”
While the suspect account is locked, all other endpoints are ‘inoculated’, blocking all incoming malicious traffic. The threat actor will basically have no one to talk to.
“When an identity is established, each supported Microsoft Defender for Endpoint device will block incoming traffic in specific attack-related protocols (network logins, RPC, SMB, RDP) while allowing legitimate traffic,” Microsoft further said.
“This action can significantly help reduce the impact of an attack. When an identity is under control, security operations analysts have additional time to locate, identify and remediate the threat to the compromised identity.”
Through BleepingComputer