A new feature in Microsoft Defender for Endpoint can make it more difficult for attackers to perform lateral movement within company networks, as it allows admins to prevent traffic flowing to and from unmanaged devices that have been compromised.
Isolating unmanaged devices
Lateral movement is a fundamental tactic deployed by most cyberattackers today, which means that enterprise defenders should work to prevent it or at least minimize it.
“While devices enrolled in Microsoft Defender for Endpoint can be isolated to prevent bad actors from compromising other devices, responding to a compromised device not enrolled in Microsoft Defender for Endpoint can be a challenge for organizations today,” noted Yossi Basha, Principal Product Manager, M365 Defender at Microsoft.
Not enrolled devices may include printers, various IoT devices, and even networking devices – although, as Microsoft warns, containing the latter may cause problems.
“In cases where the contained device is a network device, a warning will appear with a message that this may cause network connectivity issues (for example, containing a router that is acting as a default gateway). At this point, you’ll be able to choose whether to contain the device or not,” the company explained.
The new “Contain” feature
Microsoft Defender for Endpoint is an endpoint security platform aimed at preventing, detecting, investigating, and responding to advanced threats targeting enterprise networks and systems. It includes centralized management and reporting.
The new “Contain” feature can be switched on (and off) from the Device inventory page or from the Device page:
“This action can help prevent neighboring devices from becoming compromised while the security operations analyst locates, identifies, and remediates the threat on the compromised device,” Microsoft adds.
A current limitation of the feature is that blocking incoming and outgoing communication with a “contained” device can only be performed on onboarded Microsoft Defender for Endpoint Windows 10 and Windows Server 2019+ devices – though the company is working on building out additional platform support.
If a contained device changes its IP address, all Microsoft Defender for Endpoint onboarded devices will recognize this and start blocking communications with the new IP address within 5 minutes. And if the new IP is used by another device, admins will be warned before deciding to proceed with containment.