Disrupt Human-Operated Attacks Early by Containing Users
Defenders need every edge they can get in the fight against ransomware. To help combat the risk, Microsoft have announced that Microsoft Defender for Endpoint customers will now be able to automatically disrupt human-operated attacks like ransomware early in the kill chain without needing to deploy any other capabilities. Now, organisations only need to onboard their devices to Defender for Endpoint to start realising the benefits of attack disruption, bringing this extended detection and response (XDR) AI-powered capability within reach of even more customers.
Automatic attack disruption uses signal across the Microsoft 365 Defender workloads (identities, endpoints, email, and software as a service [SaaS] apps) to disrupt advanced attacks with high confidence. Basically, if the beginning of a human-operated attack is detected on a single device, attack disruption will simultaneously stop the campaign on that device and inoculate all other devices in the organisation. The adversary then has nowhere to go.
Attack disruption achieves this outcome by containing compromised users across all devices to outmanoeuvre attackers before they have the chance to act maliciously, such as using accounts to move laterally, performing credential theft, data exfiltration and encrypting remotely. This on-by-default capability will identify if the compromised user has any associated activity with any other endpoint and immediately cut off all inbound and outbound communication, essentially containing them. Even if a user has the highest permission level and would normally be outside a security control’s purview, the attacker will still be restricted from accessing any device in the organisation. As a result of this decentralised protection, attack disruption has saved 91 percent of targeted devices from encryption attempts.1
Until now, detecting these campaigns early posed significant challenges for security teams since adversaries typically perform activities disguised as normal user behaviour. And while other vendors may detect these attack techniques, only Microsoft 365 Defender can automatically disrupt them around the clock even when your security team might be offline. Backed by Microsoft’s breadth of signal and deep user behavioural analysis, security teams now possess a robust new tool to effortlessly stop sophisticated ransomware attackers at scale.