Member
- Joined
- Oct 14, 2023
- Messages
- 225
- Thread Author
- #1
This option is several steps ahead of hackers and leaves them no chance to attack.
Microsoft introduced a new Defender for Endpoint feature called "Contain User" to automatically interrupt attacks, which isolates compromised user accounts and blocks lateral movement in hands-on-keyboard attacks. The new option is available in the public preview version.
In incidents such as ransomware attacks, attackers break into networks, perform Lateral Movement (Lateral Movement) after privilege escalation using stolen accounts, and deploy malicious loads.
Displaying an isolated user in the Microsoft Defender control Panel
According to Microsoft representatives, Defender for Endpoint now prevents cybercriminals from trying to break into victims ' on-premises or cloud IT infrastructure by temporarily isolating compromised user accounts (so-called "suspicious identities") that hackers can use to achieve their goals, including lateral movement, credential theft, data exfiltration, etc. remote file encryption.
The function will be active by default and will detect if the compromised user has any communication with another endpoint, and immediately terminate all incoming and outgoing connections between them.
According to Microsoft, when the initial stages of an attack are detected on an endpoint using Microsoft 365 Defender, the automatic attack abort feature will block the attack on that device. At the same time, Defender for Endpoint "grafts" all other devices in the organization, blocking incoming malicious traffic, while allowing legitimate traffic, leaving no chance for attackers to attack. When the device is isolated, information security specialists get additional time to identify, identify and eliminate the threat.
Recall that in June 2022, Microsoft introduced the Defender for Endpoint feature, which isolates compromised Windows devices. After the computer is marked as isolated, MDE will block all connections and data exchange with the device on the network. If a cybercriminal changes the computer's IP address, all registered devices will block communication even with the new IP address.
Microsoft introduced a new Defender for Endpoint feature called "Contain User" to automatically interrupt attacks, which isolates compromised user accounts and blocks lateral movement in hands-on-keyboard attacks. The new option is available in the public preview version.
In incidents such as ransomware attacks, attackers break into networks, perform Lateral Movement (Lateral Movement) after privilege escalation using stolen accounts, and deploy malicious loads.
Displaying an isolated user in the Microsoft Defender control Panel
According to Microsoft representatives, Defender for Endpoint now prevents cybercriminals from trying to break into victims ' on-premises or cloud IT infrastructure by temporarily isolating compromised user accounts (so-called "suspicious identities") that hackers can use to achieve their goals, including lateral movement, credential theft, data exfiltration, etc. remote file encryption.
The function will be active by default and will detect if the compromised user has any communication with another endpoint, and immediately terminate all incoming and outgoing connections between them.
According to Microsoft, when the initial stages of an attack are detected on an endpoint using Microsoft 365 Defender, the automatic attack abort feature will block the attack on that device. At the same time, Defender for Endpoint "grafts" all other devices in the organization, blocking incoming malicious traffic, while allowing legitimate traffic, leaving no chance for attackers to attack. When the device is isolated, information security specialists get additional time to identify, identify and eliminate the threat.
Recall that in June 2022, Microsoft introduced the Defender for Endpoint feature, which isolates compromised Windows devices. After the computer is marked as isolated, MDE will block all connections and data exchange with the device on the network. If a cybercriminal changes the computer's IP address, all registered devices will block communication even with the new IP address.