I'm outta time, and all I got is four minutes Fikki fikki, four minutes, aye, We only got four minutes to save the Data!!
Cybersecurity attacks are getting more and more advanced and even the most skilled Security Operations (SOC) teams are struggling to keep up. In the image below, you can see how quickly an attacker can encrypt hundreds of devices in a ransomware attack. It's crucial to identify and contain these attacks fast to minimise the damage to organisations. Four minutes may be too long.
Automatic Attack Disruption in Microsoft 365 Defender can stop attacks in progress by disabling or restricting devices and user accounts that are being used by the attacker. This makes it harder for them to get to other devices on the network and gives SOC teams more time to deal with the attack.
The cool thing is our attack disruption feature doesn't just rely on one thing to protect against an attack. We use a bunch of different signals from our XDR system to consider the entire attack, instead of just one small piece of it. So, we've got your back when it comes to keeping those cyber attackers at bay.
So, you know how those sneaky cyber attackers love to use business email compromise and human-operated ransomware attacks to wreak havoc on companies? Well, good news! Microsoft 365 Defender has got your back with our automatic attack disruption feature that can now tackle those two types of attacks. We're here to reduce the impact those attacks have on your organisation, so you can kick back and relax.
Business email compromise (BEC) attacks are a major concern for organisations as they can lead to significant financial losses and damage to the company's reputation. These attacks involve cybercriminals pretending to be high-level executives or trusted vendors to trick employees into transferring money or sensitive information. Automatic attack disruption in Microsoft 365 Defender can help detect these attacks and prevent further damage by disabling the compromised account, limiting the attacker's ability to send fraudulent emails, and preventing unauthorised money transfers.
Human-operated ransomware attacks are a serious threat to organisations, and our analysis of past cases has shown that SOC analysts have less than 20 minutes to respond effectively once the ransomware is deployed. However, this is a daunting task that requires high technical skills and a lot of time, making it almost impossible to do manually. In one such attack, the hackers used elevation of privileges and deployed ransomware to critical data, as shown in Image 3. This is where automatic attack disruption can help by containing the infected device and disabling the compromised user account, thus preventing the attack from spreading further.
We recognise that organisations may feel apprehensive about implementing automatic attack disruption, considering the potential impact it could have. However, in Microsoft 365 Defender, our automatic attack disruption is designed to leverage high-fidelity XDR signals, along with insights gleaned from Microsoft's research teams' continuous investigation of thousands of incidents.
The automatic attack disruption in Microsoft 365 Defender consists of three critical stages:
-
Detect malicious activity and establish high confidence.
-
Classification of scenarios and identification of assets controlled by the attacker.
-
Trigger automatic response actions using the Microsoft 365 Defender protection stack to contain the active attack.
Our AI-driven detection capabilities have been informed by extensive research, enabling us to accurately detect ransomware spread and encryption activity with high confidence. We also use specific signals, such as those related to human-operated ransomware, to enhance our detection capabilities. Our XDR-level capability correlates insights across various sources, including endpoints, identities, email, and SaaS apps to establish high-fidelity alerts.
In the second stage, we aggregate and analyse malicious activities, such as product tampering, backup deletion, and credential theft, to flag the assets responsible for the attack. By retracing the malicious activity on a device to its remote execution tactics, we can unravel the chain of attacks.
In the final stage, automatic response actions are triggered against identified compromised entities. Our current public preview offers two key response actions to stop ongoing attacks: the first is to disable the user(s) responsible for the attack by triggering a Suspend Account action if onboarded to Microsoft Defender for Identity. This action suspends the compromised user account in Active Directory and Azure AD. The second response action is to contain devices automatically, preventing any onboarded device from communicating with the compromised machine in environments using Defender for Endpoint. We understand that taking automatic action can be daunting, but our system is designed to rely on high-fidelity XDR signals and insights from continuous investigation of thousands of incidents by our research teams to minimise any potential impact on organisations.
To ensure that automatic actions don’t negatively impact the health of a network, Microsoft 365 Defender automatically tracks and refrains from containing network-critical assets and built client-side fail safe mechanisms into the containment lifecycle. In addition, any automatic actions can be easily undone to ensure the SOC stays in full control.
To provide transparency and ensure awareness of automatic disruption, Microsoft 365 Defender has added visual indicators to the user experience. These cues are present in the incident queue, where affected incidents are marked with a "Attack Disruption" tag. In the incident page, a similar tag is displayed, along with a yellow banner that highlights the automatic action taken. Additionally, if an action is taken on an asset (such as disabling an account or containing a device), the incident graph will display the current asset status. These enhancements enable quick identification of incidents that have been automatically disrupted and promote transparency and visibility throughout the security process.
Furthermore, Microsoft 365 Defender provides security teams with the flexibility to customize the configuration for automatic attack disruption according to their specific needs. SOC teams can easily revert any action taken through the Microsoft 365 Defender Portal, giving them complete control over the security process.
Microsoft 365 Defender is a comprehensive XDR solution that enables SOC teams to effectively combat advanced threat techniques used by adversaries across multiple attack vectors including endpoint, identity, email, collaboration, and SaaS app security. With the integration of automatic attack disruption, SOC teams can now swiftly mitigate the impact of advanced attacks such as Business Email Compromise (BEC) and Human-Operated Ransomware, through rapid disruption capabilities. By limiting the impact of attacks at machine speed, automatic attack disruption changes the game for SOC teams, providing them with powerful tools to defend against evolving threats. All at machine speed in less than 4 Minutes.
I've only got four minutes, gotta be quick Fikki fikki, four minutes, yeah I've only got four minutes, gotta be slick Fikki fikki, four minutes, yeah I've only got four minutes (four, four) Fikki fikki, four minutes, yeah I've only got four minutes (four, four) Fikki fikki, four minutes, yeah
I'm running out of time, need to keep things secure Don't waste time, gotta be sure Let's speed things up, then slow it down There's enough room for us to keep things sound
Can you handle it? Show me where to go Ready to protect, ready to go
If you want it, you've already got it If you need it, let's make it real If you feel it, then it's a must Just say the word, and we'll handle the fuss
The clock is ticking (We've only got four minutes to save the data) No time to waste Get to work (Before it's too late) The clock is ticking (We've only got four minutes to save the data) No time to waste (We've only got four minutes, yeah, four minutes)
So let's keep it up, don't be a prima donna Get to work and make it count (Tick tock, tick tock, tick tock, tick tock) Keep pushing, don't stop Don't be a prima donna (Tick tock, tick tock, tick tock, tick tock)
Sometimes we need intervention To keep the data safe, prevent the tension We can tell when things are good By the way we move, we do what we should
The road to disaster is paved with bad intentions But if we work together, we'll prevent the tension Tell me, what's your plan?
If you want it, you've already got it If you need it, let's make it real If you feel it, then it's a must Just say the word, and we'll handle the fuss
The clock is ticking (We've only got four minutes to save the data) No time to waste Get to work (Before it's too late) The clock is ticking (We've only got four minutes to save the data) No time to waste (We've only got four minutes, yeah, four minutes)
So let's keep it up, don't be a prima donna Get to work and make it count (Tick tock, tick tock, tick tock, tick tock) Keep pushing, don't stop Don't be a prima donna (Tick tock, tick tock, tick tock, tick tock)
Tick tock, tick tock, tick tock, tick tock We've only got four minutes to save the data
