Loading...

Automatic disruption of Ransomware and BEC attacks with Microsoft 365 Defender

Automatic disruption of Ransomware and BEC attacks with Microsoft 365 Defender

The ever-growing volume of advanced cybersecurity attacks challenges even the most advanced Security Operations (SOC) teams. Image 1 shows a timeline of a typical human-operated ransomware attack where the attacker encrypted hundreds of devices in just minutes. It demonstrates how quickly threat actors spread and execute attacks and highlights the criticality to quickly identify and contain high-impact attacks to limit the impact to organizations.

 

To help SOC teams address these challenges, we announced automatic attack disruption in Microsoft 365 Defender last year at Microsoft Ignite. This capability uses high-confidence Extended Detection and Response (XDR) signals across endpoints, identities, email, and SaaS apps, to contain active cybersecurity attacks quickly and effectively, to stop progression and limit the impact to your organization.

 

Today, we are excited to announce the expansion of the public preview to cover business email compromise (BEC) campaigns, in addition to human-operated ransomware (HumOR) attacks.

 

Image 1: Timeline device encryption during a human-operated ransomware attackImage 1: Timeline device encryption during a human-operated ransomware attack

 

The impact of automatic attack disruption

Automatic attack disruption is designed to contain attacks in progress by automatically disabling or restricting devices and user accounts used in an attack. Disabling credentials available to the attacker, as well as their ability to use devices that communicate over the network, limits the ability to impact additional assets and gives SOC teams more time to remediate attacks.

Unlike known protection methods such as prevention and blocking based on a single indicator of compromise, attack disruption in Microsoft 365 Defender leverages the breadth of our XDR signal to act at the incident level and takes the entire attack into account.

 

This game-changing capability comes built-in with Microsoft 365 Defender and limits a threat actor’s progress early on - reducing the overall impact of an attack, from associated costs to loss of productivity.

 

 

Tackling advanced attacks

Business email compromise and human-operated ransomware attacks are two common attack scenarios that are now supported by Microsoft 365 Defender’s automatic attack disruption capabilities to reduce their impact on an organization:

 

Business email compromise – BEC attacks commonly involve cybercriminals impersonating a company's executives or vendors to trick employees into transferring money or sensitive information - causing financial losses and reputational damage. Automatic attack disruption can help detect these attacks and remove the attacker’s access to the environment by disabling the compromised account, limiting their ability to send fraudulent email, and preventing money transfers and financial losses.

 

Image 2: Typical BEC attack flowImage 2: Typical BEC attack flow

 

Human-operated ransomware – Our analysis of dozens of ransomware cases shows that once a Threat Actor moves to deploy ransomware in a network, a SOC analyst has less than 20 minutes from deployment to effectively mitigate the attack. This narrow time frame, coupled with the high technical skills and time required to perform the analysis, makes manually responding near impossible. The attack shown in image 3 used elevation of privileges and deployed ransomware to critical data. Here, automatic attack disruption will contain the spreader device and disable the compromised user account.

 

Image 3: Typical human-operated ransomware attack flowImage 3: Typical human-operated ransomware attack flow

 

How we establish high confidence in Microsoft 365 Defender when taking automatic action

We understand that taking automatic action can come with hesitation, given the potential impact it can have on an organization. That’s why automatic attack disruption in Microsoft 365 Defender is designed to rely on high-fidelity XDR signals, coupled with insights from the continuous investigation of thousands of incidents by Microsoft’s research teams.

 

Automatic attack disruption operates in 3 key stages:

  1. Detect malicious activity and establish high confidence
  2. Classification of scenarios and identification of assets controlled by the attacker
  3. Trigger automatic response actions using the Microsoft 365 Defender protection stack to contain the active attack

 

Detection is achieved by using our research-informed, AI-driven detection capabilities and refining them with specific signals, e.g. human operated ransomware, to establish a high level of confidence in accurately detecting ransomware spread and encryption activity. The XDR-level capability correlates insights across endpoints, identities, email and SaaS apps to establish high-fidelity alerts.

 

The second stage consists of further aggregation and automatic analysis of the malicious activities, such as product tampering, backup deletion, credential theft, mass lateral movement, and many more. The intent is to flag the assets that are responsible for the malicious activity. Microsoft 365 Defender unravels the chain of attacks by retracing the malicious activity on a device to its remote execution TTP.

 

Lastly, automatic response actions are triggered against entities identified as compromised. In the current public preview, the automatic attack disruption capabilities use two key response actions to stop in-progress attacks:

 

  • Disable user: If onboarded to Microsoft Defender for Identity, we will automatically trigger a Suspend Account action on the user(s) delivering the attack. The action suspends the compromised user account in Active Directory and syncs this information to Azure AD.
  • Device containment: For environments using Defender for Endpoint, devices will be automatically contained to prevent any onboarded device from communicating with the compromised machine.

To ensure that automatic actions don’t negatively impact the health of a network, Microsoft 365 Defender automatically tracks and refrains from containing network-critical assets and built client-side fail safe mechanisms into the containment lifecycle. In addition, any automatic actions can be easily undone to ensure the SOC stays in full control.

 

Work with automatic attack disruption

When automatic disruption takes effect, we want to ensure visibility of these automatic actions, that's why the Microsoft 365 Defender user experience now includes additional visual cues across the following experiences:

 

Incident queue

  • A tag titled “Attack Disruption” next to affected incidents

Incident page

  • A tag titled “Attack Disruption”.
  • A yellow banner at the top of the page that highlights the automatic action taken.
  • The current asset status is shown in the incident graph if an action is done on an asset, e.g., account disabled or device contained.

Image 4: Automatic attack disruption incident view in Microsoft 365 Defender. Tags are visible in the right panel. Disabled account indication is shown in the Incident graph.Image 4: Automatic attack disruption incident view in Microsoft 365 Defender. Tags are visible in the right panel. Disabled account indication is shown in the Incident graph.

 

In addition, security teams can customize the configuration for automatic attack disruption and can easily revert any action from the Microsoft 365 Defender Portal, to ensure SOC teams have full control. Check out our documentation for more detail.

 

Microsoft 365 Defender is uniquely positioned to empower SOC teams to match the powerful techniques of adversaries and provide protection with the full context of an attack as the leading XDR natively spanning endpoint, identity, email and collaboration, and SaaS app security. Automatic attack disruption will change the game for SOC teams by limiting the impact of advanced attacks like BEC and human-operated ransomware through disruption at machine speed.

 

 

Get started

  1. Make sure your organization fulfills the Microsoft 365 Defender pre-requisites
  2. Connect Microsoft Defender for Cloud Apps to Microsoft 365.
  3. Deploy Microsoft Defender for Identity. You can start a free trial here.

 

Learn more

Published on:

Learn more
Microsoft 365 Defender Blog articles
Microsoft 365 Defender Blog articles

Microsoft 365 Defender Blog articles

Share post:

Related posts

Microsoft Teams: Auto detection of room audio in BYOD rooms expanded to audio devices with video

Microsoft Teams has expanded its room audio auto-detection feature for bring-your-own-device (BYOD) rooms to include audio devices that have a...

31 minutes ago

Dynamics 365 Business Central: How to upload files from Business Central to OneDrive via AL (Graph API)

Hi, Readers.We discussed Dynamics 365 Business Central: How to import/read files from OneDrive to Business Central via AL (Graph API) last wee...

7 hours ago

Google Workspace to Microsoft 365: A step-by-step migration guide with ShareGate 

Learn how to use ShareGate for a seamless migration from Google Workspace to Microsoft 365—from setup to post-migration.  Migrating from...

13 hours ago

Microsoft 365 & Power Platform Call (Microsoft Speakers) – November 26th, 2024 – Screenshot Summary

Call Highlights   SharePoint Quicklinks: Primary PnP Website: https://aka.ms/m365pnp Documentation & Guidance SharePoint Dev Videos Issues...

15 hours ago

Future of SharePoint with Power Platform

Introduction Let’s start with a question: What if your organization’s information, workflows, and insights could keep pace with bu...

20 hours ago

How to Create SharePoint List Items with MS Graph API: A Step-by-Step Guide

In this article I’ll elaborate how to create SharePoint List Items with MS Graph API. You might have use cases, which require the automa...

1 day ago

Microsoft 365 Copilot: New user license requests

Microsoft 365 Copilot is introducing a new license request feature that will soon be widely available. This new feature enables users to reque...

1 day ago

Microsoft Teams: Copilot in Meetings will suggest follow up questions to ask it

Microsoft Teams is introducing a new feature called Copilot in Meetings, which will not only respond to prompts during the meeting, but also s...

1 day ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy