Microsoft Automatic Attack Disruption in Defender 365
Earlier this week, Microsoft announced that it’s automatic attack disruption capabilities in Microsoft 365 Defender. Its enterprise defense suite will now help organizations disrupt business email compromise and human-operated ransomware attacks.
The signals on which Microsoft 365 Defender takes automated disruption actions are gathered from endpoints, identities, email, collaboration, and SaaS apps. They are then aggregated and automatically analyzed, and if a high level of confidence is established so they acted upon it.
Automatic attack disruption operates in 3 key stages:
- Detect malicious activity and establish high confidence
- Classification of scenarios and identification of assets controlled by the attacker
- Trigger automatic response actions using the Microsoft 365 Defender protection stack to contain the active attack
The current public preview, the automatic attack disruption capabilities include:
- Suspending the account in Active Directory and Azure AD of the user delivering the attack.
- Containing devices to prevent them from communicating with the compromised machine.
- Visual cues about automated actions taken are obvious in the dashboard and can be reverted from the Microsoft 365 Defender Portal.
Security teams can customize the configuration for automatic attack disruption. Also, to ensure that automatic actions don’t negatively impact the health of a network, Microsoft 365 Defender automatically tracks and refrains from containing network-critical assets and built client-side fail safe mechanisms into the containment lifecycle.
According to a research report , the average time to complete a ransomware attack dropped from 60 days down to less than 4 days and the rate at which attackers target employees via compromised email accounts and by exploiting existing email threads has doubled.