Microsoft promoted a feature of 365 Defender at last year’s Ignite conference; this feature can automatically identify and disrupt a cyberattack while it’s happening, with the goal of stopping or at least minimizing the harm. Now, it’s expanding into other types of illegal activity.
Using millions of data points and signals, the automatic attack disruption feature designed for corporate security operation centers (SOCs) can detect active malware campaigns, such as ransomware, and take action to automatically isolate the device under attack from the network and to suspend accounts compromised by the attackers.
Business email compromise (BEC) and human-operated ransomware (HumOR) assaults are now included in the public preview of the automatic attack disruption capability from the software and cloud services giant.
Microsoft’s senior product manager, Eval Haik, explained that Microsoft 365 Defender’s automatic attack interruption capabilities help mitigate the damage done by “common attack scenarios” such business email compromise and human-operated ransomware campaigns.
Criminals launching BEC attacks specifically target businesses, tricking employees through social engineering to unwittingly download malware, demand payment from suppliers, or wire money to an attacker-controlled account.
According to an FBI estimate from 2017, BEC attacks cost businesses around $43.3 billion worldwide between 2016 and 2021.
Criminals, in contrast to automated ransomware operations, get access to a company’s on-premises systems or cloud infrastructure using a HumOR assault, gain administrative access, spread laterally, and release ransomware at scale. Credential theft and ransomware deployment are two methods used in these attacks, however the targets are entire organizations rather than individual devices.
Time is short
As the number and sophistication of cyberattacks continue to rise, so too do their speed and sophistication, which is why Microsoft 365 Defender now features automatic attack disruption. It’s not uncommon for attacks to be well under way before security personnel are able to even notice them, let alone halt them.
Microsoft has discovered that a SOC analyst has less than 20 minutes to mitigate an attack once ransomware has been deployed in a network. From the time an employee clicks on a phishing link to the time an attacker has full access to the user’s email and is moving laterally through the network can take less than two hours.
Manually replying within such a short window “is nearly impossible due to the high technical skills and time required to perform the analysis,” as stated by Haik.
Artificial intelligence (AI)-based detection capabilities are used by Microsoft Defender 365 to correlate various extended detection and response (XDR) signals across endpoints, identities, email, and SaaS services, thereby identifying cyberattacks. Analyses can also be performed to determine whether or not a product has been tampered with if credentials have been stolen.
All this sets off the automatic attack disruption feature, which locks out the compromised accounts in Active Directory and Azure Active Directory and isolates the devices so that they can’t communicate with a compromised machine.
Microsoft explained the necessity of automation in introducing SOC teams’ skills across today’s complex, distributed, and heterogeneous ecosystems in an article published in October 2022 in anticipation of Ignite.
A yellow banner at the top of the page indicates the automatic action that was taken, and an incident graph displays the status of an asset, such as an account being disabled or a device being contained, so that system administrators can see what’s going on.
The Microsoft 365 Defender Portal also allows security teams to modify the settings for automatic attack disruption and apply new actions.