Microsoft Defender just got a major security upgrade aimed at quarantining hackers

Padlock against circuit board/cybersecurity background
(Image credit: Future)

One of the biggest challenges IT teams face today is identifying when a legitimate user’s account is compromised and stopping it from being used to deploy malware or steal data. With the latest update to Defender for Endpoint, Microsoft wants to help solve that problem.

Currently in public preview, Microsoft Defender for Endpoint features a new tool called “contain user” which does just what it says it does - contains a potentially problematic user. 

If the tool spots a user account behaving in a “suspicious” manner, DoE will move in to lock all the doors around it, cutting it off from other endpoints and resources. That way, Microsoft hopes, DoE will stop the threat actor in its tracks, before it can wreak any more damage (for example, deploy ransomware).

Blocking all traffic

"Attack disruption achieves this outcome by containing compromised users across all devices to outmaneuver attackers before they have the chance to act maliciously, such as using accounts to move laterally, performing credential theft, data exfiltration, and encrypting remotely," said Rob Lefferts, Corporate Vice President for Microsoft 365 Security in a blog post.

"This on-by-default capability will identify if the compromised user has any associated activity with any other endpoint and immediately cut off all inbound and outbound communication, essentially containing them."

While the suspicious account gets locked down, all other endpoints will be “inoculated”, with all incoming malicious traffic being blocked. The threat actor will basically have no one to talk to.

"When an identity is contained, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic in specific protocols related to attacks (network logons, RPC, SMB, RDP) while enabling legitimate traffic," Microsoft further said.

"This action can significantly help to reduce the impact of an attack. When an identity is contained, security operations analysts have extra time to locate, identify and remediate the threat to the compromised identity."

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.