Microsoft announces automatic BEC, ransomware attack disruption capabilities

Last year, Microsoft announced automatic attack disruption capabilities in Microsoft 365 Defender, its enterprise defense suite. On Wednesday, it announced that these capabilities will now help organizations disrupt two common attack scenarios: BEC (business email compromise) and human-operated ransomware attacks.

Reaction speed is paramount for disrupting attacks

A fast defensive response to initiated cyber attacks is becoming increasingly crucial for organizations: According to IBM Security’s X-Force team, the average time to complete a ransomware attack dropped from 2 months down to less than 4 days and the rate at which attackers target employees via compromised email accounts and by exploiting existing email threads has doubled.

In an ideal world, all organizations would have the right technology deployed and a well-staffed security operations center (SOC) capable of spotting the very first signs of an attack in progress. In this imperfect world, though, SOC analysts are few, overworked and burned out, overwhelmed with alerts and wading through a sea of false positives – and often finding crucial clues too late.

The solution, according to many security vendors, is automation. According to Microsoft, it’s automation and reaction at machine speed.

BEC and ransomware attack disruption

The signals on which Microsoft 365 Defender takes automated disruption actions are gathered from endpoints, identities, email, collaboration and SaaS apps. They are then aggregated and automatically analyzed and – if a high level of confidence is established – acted upon.

“The intent is to flag the assets that are responsible for the malicious activity,” says Eyal Haik, Senior Product Manager at Microsoft.

In the current public preview, the automatic attack disruption capabilities include:

• Suspending the account in Active Directory and Azure AD of the user delivering the attack (if the user has been onboarded to Microsoft Defender for Identity)
• Containing devices to prevent them from communicating with the compromised machine (possible for environments using Defender for Endpoint)

Visual cues about automated actions taken are obvious in the dashboard and, more importantly, the actions can be reverted from the Microsoft 365 Defender Portal.

Security teams can customize the configuration for automatic attack disruption. Also, “to ensure that automatic actions don’t negatively impact the health of a network, Microsoft 365 Defender automatically tracks and refrains from containing network-critical assets and built client-side fail safe mechanisms into the containment lifecycle.”