October 11, 2023 at 02:46PM
Microsoft Defender for Endpoint now has a new feature called ‘contain user’ in public preview that helps prevent lateral movement in hands-on-keyboard attacks. It isolates compromised user accounts to disrupt attacks and prevent malicious actions such as credential theft and data exfiltration. The feature has been effective in protecting thousands of devices from ransomware attacks since August 2023.
In the meeting, it was discussed that Microsoft Defender for Endpoint now has a new ‘contain user’ capability in public preview. This capability helps prevent lateral movement in hands-on-keyboard attacks and isolates compromised user accounts. This is particularly important in incidents involving human-operated ransomware, where threat actors infiltrate networks, escalate privileges through stolen accounts, and deploy malicious payloads.
The attack disruption feature works by temporarily isolating compromised user accounts across all devices, preventing attackers from acting maliciously or moving laterally within victims’ on-premises or cloud IT infrastructure. It cuts off all inbound and outbound communication associated with the compromised user, minimizing the impact of the attack.
When an initial stage of a human-operated attack is detected on an endpoint, Microsoft Defender for Endpoint’s automated attack disruption feature will block the attack on that particular device. Additionally, it will protect other devices within the organization by blocking incoming malicious traffic, leaving attackers with no further targets.
By containing compromised identities, security operations analysts have more time to locate, identify, and remediate the threat. Since its introduction in November 2022, Microsoft 365 Defender XDR’s automatic attack disruption capability has helped prevent encryption from ransomware campaigns and stopped lateral movement across compromised networks.
It’s worth noting that Microsoft Defender for Endpoint has been capable of isolating hacked and unmanaged Windows devices since June 2022 to prevent malicious actors from moving laterally through victims’ networks.