Microsoft has augmented its security measures to fend off potential culprits by implementing automatic isolation of compromised user accounts. This decision is targeted at obstructing hackers from maneuvering within an enterprise's IT infrastructure, prompted by rising incidents of ransomware attacks where malicious entities infiltrate networks, escalate privileges via stolen accounts, and deploy harmful payloads.
Defender for Endpoint to Outmaneuver Attackers
The upgraded security feature has been incorporated into Microsoft Defender for Endpoint in public preview. Rob Lefferts, Corporate Vice President for Microsoft 365 Security, stated, “This on-by-default capability will identify if the compromised user has any associated activity with any other endpoint and immediately cut off all inbound and outbound communication, essentially containing them.”
With Microsoft Defender for Endpoint, attackers are restricted to infiltrate into victims' on-premises or cloud IT architecture. The isolation is achieved by briefly containing suspiciously compromised accounts. The attack disruption feature achieves containment on accounts across all devices and prevents malicious activities like lateral movement using compromised accounts, credential theft, data exfiltration, and encryption.
Attacks and Isolations: Microsoft's Response
Additional support is provided by an automated attack disruption feature, which combats the preliminary stages of a human-operated attack detected on an endpoint. Concurrently, the tool extends protection to all devices in the organization by halting incoming damaging traffic.
Microsoft's initiative to introduce automatic attack disruption to Microsoft 365 Defender XDR (Extended Detection and Response) solution has shown commendable progress. As per Microsoft's internal data, since its inception in August 2023, over 6,500 devices have duly been saved from ransomware campaigns instigated by hacker groups such as BlackByte and Akira.
Furthermore, Defender for Endpoint, since June 2022, has been successful in isolating hacked and unmanaged Windows devices, subsequent to restricting the lateral movement of malicious entities by blocking all communication to and from the compromised devices. The steps taken by Microsoft have facilitated security operations analysts to efficiently identify, locate, and mitigate the threats posed to compromised identities.