Automatic attack disruption: Enhanced containment for critical assets and shadow IT

Staying ahead of attackers is tough, as they constantly evolve and use advanced techniques like AI to exploit vulnerabilities. Protecting high-value assets is even harder, as these are prime targets. Security teams must constantly adapt to outpace attackers, balancing proactive measures with the need for speed and innovation. This is why Microsoft Defender XDR developed automatic attack disruption, a built-in self-defense capability that contains in-progress attacks to prevent further lateral movement & damage to an organization.

We’re thrilled to introduce new, extended capabilities in automatic attack disruption, designed to further stop attackers and restrict them from moving laterally across the network by leveraging compromised devices. Specifically, within Microsoft Defender for Endpoint which disrupt ransomware on its own.

With this expansion, we now offer:

• Granular containment of critical assets – Helping ensure essential infrastructure remains operational while blocking attacker activity.
• Containment of IP addresses linked to undiscovered devices – Helping to prevent attackers from exploiting shadow IT and unmanaged endpoints.

Granular Containment of Critical Assets

Critical assets—such as Domain Controllers, DNS, and DHCP servers—are prime targets for adversaries. These systems serve as strategic footholds for attackers to establish persistence, escalate privileges, and compromise further resources. However, containing these devices has traditionally been challenging, as full isolation could disrupt business operations.

With this new capability, Defender for Endpoint applies intelligent, device role-based, granular containment to limit only specific network functionalities and interfaces used for malicious activity, while keeping essential functions running. This means:

• Attackers lose their ability to move laterally and escalate their attack.
• Key network functions are preserved, ensuring business continuity.
• Compromised critical assets remain operational while being protected.
  
  

Containing IP addresses of undiscovered devices

Shadow IT and unmanaged devices present a hidden security risk. Often unmonitored, these devices become easy targets for attackers to exploit for lateral movement.

With the new IP address containment capability, Defender for Endpoint can now identify and incriminate malicious IP addresses linked to unmanaged or undiscovered devices and automatically contain those IPs, preventing attackers from getting their foot in the door through vulnerable, unmanaged devices before spreading to other non-compromised devices.

Configuring IP containment

 Excluding assets from automatic attack disruption is not recommended as it can reduce the effectiveness of protecting your environment from sophisticated, high-impact attacks. If there is still a need to exclude an IP subnet or multiple IP addresses, this can be done within the Microsoft Defender XDR portal as follows:

1. Under Automated responses, select Devices.
2. In the IPs tab, select Exclude IP to exclude an IP address.
3. In the flyout pane, enter the IP address/IP range/IP subnet you want to exclude. You can add multiple IP addresses and IP subnets by separating them with a comma.

For full configuration options see the Defender XDR documentation.

While security is undeniably challenging, security analysts should feel empowered by their tools to effectively combat against attacks. With continuous innovation and the ability to adapt to the latest threats, they can stay resilient and confident in their ability to protect valuable assets. The ever-evolving landscape of cybersecurity is demanding, but with the right resources, analysts are well-equipped to tackle it head-on.

Get started

1. Make sure your organization fulfills the Microsoft Defender XDR pre-requisites.
2. Deploy Defender for Endpoint. A free trial is available here.

Learn more

• Read our latest security blog on how we protect against ransomware attacks using domain controllers
• Read our latest Defender for Endpoint e-book
• Check out our documentation to learn more about Microsoft Defender XDR's attack disruption prerequisites, available controls, and indications.
• Learn more about our Device Containment capabilities.
• Learn more about other scenarios supported by automatic attack disruption.