Thanks for an update Microsoft Defender per endpoint is now able to isolate the accounts of compromised users, with a sort of “containment system”.
This new feature, shown with a public preview, may prove essential in the fight against ransomware and other potential campaigns malware. In fact, once a device has been compromised, threat actors tend to move “laterally” in a corporate context (both local computers and cloud), going to distribute payload harmful across multiple platforms.
Second Rob LeffertsCorporate Vice President of Microsoft 365 Security “Attack Disruption achieves this by containing compromised users on all devices to defeat attackers before they have a chance to act maliciously, such as using accounts to move laterally, performing credential theft, exfiltration data and remote encryption“.
Lefferts himself then added how “This feature enabled by default will identify if the compromised user has any activity associated with any other endpoint and will immediately shut down all incoming and outgoing communications, essentially containing them“.
Microsoft Defender for Endpoint works by isolating the affected platform and “alerting” the others present in the network
In addition to the containment system for the infected device, Defender for Endpoint for Endpoint will also act on all other devices on the network, blocking incoming malicious traffic from other workstations.
For the experts “This action can significantly help reduce the impact of an attack. When an identity is contained, security operations analysts have more time to locate, identify and remediate the threat to the compromised identity“.
Microsoft has added automatic attack termination to its solution Microsoft 365 Defender XDR (Extended Detection and Response) in November 2022 during the annual conference Microsoft Ignite for developers and IT professionals.
This move seems to be able to put cybercriminals in difficulty even if, as has happened several times in the past, it is not certain that they will soon find a new countermeasure.