Microsoft Announce New Features to Defender for Endpoint

Disrupt Human-Operated Attacks Early by Containing Users

Defenders need every edge they can get in the fight against ransomware. To help combat the risk, Microsoft have announced that Microsoft Defender for Endpoint customers will now be able to automatically disrupt human-operated attacks like ransomware early in the kill chain without needing to deploy any other capabilities. Now, organisations only need to onboard their devices to Defender for Endpoint to start realising the benefits of attack disruption, bringing this extended detection and response (XDR) AI-powered capability within reach of even more customers.

Automatic attack disruption uses signal across the Microsoft 365 Defender workloads (identities, endpoints, email, and software as a service [SaaS] apps) to disrupt advanced attacks with high confidence. Basically, if the beginning of a human-operated attack is detected on a single device, attack disruption will simultaneously stop the campaign on that device and inoculate all other devices in the organisation. The adversary then has nowhere to go.

Attack disruption achieves this outcome by containing compromised users across all devices to outmaneuver attackers before they have the chance to act maliciously, such as using accounts to move laterally, performing credential theft, data exfiltration and encrypting remotely. This on-by-default capability will identify if the compromised user has any associated activity with any other endpoint and immediately cut off all inbound and outbound communication, essentially containing them. Even if a user has the highest permission level and would normally be outside a security control’s purview, the attacker will still be restricted from accessing any device in the organisation. As a result of this decentralised protection, attack disruption has saved 91 percent of targeted devices from encryption attempts.1

Until now, detecting these campaigns early posed significant challenges for security teams since adversaries typically perform activities disguised as normal user behavior. And while other vendors may detect these attack techniques, only Microsoft 365 Defender can automatically disrupt them around the clock even when your security team might be offline. Backed by Microsoft’s breadth of signal and deep user behavioral analysis, security teams now possess a robust new tool to effortlessly stop sophisticated ransomware attackers at scale.

This capability has been quietly disrupting attacks for real organisations since 2022. For example, in August 2023, hackers compromised the devices of a medical research lab. With lives and millions of dollars in research at stake, the potential reward for hackers to encrypt the devices and demand a ransom was high. During the hands-on keyboard attack, hackers manually executed commands and used remote desktop protocol to connect to one of the organisation’s SQL servers. From there, the hackers performed credential dumping — the first step in trying to access 55 other devices in the network. However, they were unaware that the moment they connected to the SQL server, that would be the last step in their ransomware campaign. They were immediately shut out from accessing any of the lab’s devices. And the security analysts didn’t even have to lift a finger.

This research lab was just one of a handful of Microsoft customers involved in the preview of this industry-first capability. Since August 2023, more than 6,500 devices have been spared encryption from ransomware campaigns executed by hacker groups including BlackByte and Akira, and even red teams for hire.1

 
Automatic attack disruption levels the playing field

Ransomware is one of the most common human-operated attacks organisations face. In 2022, there were nearly 236.7 million ransomware attacks worldwide with the projected cost rising to USD265 billion annually by 2031.2 With increasing volume and impact of attacks like ransomware, security analysts need the sophisticated automation of previously manual responses that attack disruption offers to effectively scale their defenses.

To help defenders in this asymmetrical battlefield, in November 2022 Microsoft 365 Defender introduced automatic attack disruption: an industry-first capability that stops attacks at machine speed by using the correlation of cross-domain signal into one high-fidelity incident. Combined with automated incident and response capabilities, Microsoft 365 Defender is the only XDR platform that protects against ransomware attacks at the organisational and device levels.

In addition to ransomware, attack disruption covers the most prevalent, complex attacks including business email compromise and adversary-in-the-middle (where communication is intercepted between two users/devices). These scenarios each involve a combination of attack vectors like endpoints, email, identities and apps, posing a significant challenge for security teams to pinpoint where the attack is coming from. Most security vendors lack the high-fidelity signal to accurately identify if an attack is even happening, let alone can take disruption actions. Automatic attack disruption solves this problem by confidently detecting and disrupting at the attack source, giving defenders time to respond before the adversary can inflict damage.

1 Microsoft internal data.

2 100+ Ransomware Attack Statistics 2023, Astra. August 4, 2023.