Microsoft grows automated assault disruption to cover BEC, ransomware campaigns
There’s no HumOR in cyberattacks
At last year's Ignite show, Microsoft talked up a capability in its 365 Defender that automatically detects and disrupts a cyberattack while still in progress, hopefully stopping or reducing any resulting damage. Now it's extending that to include additional criminal areas.
The automatic attack disruption functionality aimed at corporate security operation centers (SOCs) uses millions of data points and signals to identify active malware campaigns – including ransomware – and take steps to automatically isolate the device under attack from the network and to suspended accounts compromised by the attackers.
The software and cloud services giant has now expanded the public preview of the automatic attack disruption capability to cover business email compromise (BEC) and human-operated ransomware (HumOR) attacks.
"Business email compromise and human-operated ransomware attacks are two common attack scenarios that are now supported by Microsoft 365 Defender's automatic attack disruption capabilities to reduce their impact on an organization," Eval Haik, senior product manager at Microsoft, wrote in a post.
Miscreants running BEC campaigns target organizations to attack and uses social engineering techniques to trick victims within the company to inadvertently download malware, request payment from vendors, or transferring funds to an account controlled by the attacker.
An FBI report last year said that between 2016 and 2021, there were 241,206 BEC incidents worldwide that cost organizations more than $43.3 billion.
- Microsoft to enterprises: Patch your Exchange servers
- Microsoft delivers 75-count box of patches for Valentine's Day
- Here's a list of proxy IPs to help block KillNet's DDoS bots
- Attackers abuse Microsoft's 'verified publisher' status to steal data
In HumOR attacks – as opposed to automated ransomware campaigns – criminals get into a company's on-premises systems or cloud infrastructure, elevate privileges, move laterally, and deploy ransomware on a massive scale. The attacks target an entire organization rather than individual devices and involve credential theft and deploying ransomware.
Time is short
The rollout of automatic attack disruption in Microsoft 365 Defender is a nod not only to the increasing numbers and sophistication of cyberattacks, but also their sheer velocity and growing expertise. Attacks are often well underway before security teams can detect them, much less slow them down.
Microsoft has found that by once a miscreant deploys ransomware in a network, a SOC analyst has less than 20 minutes to mitigate the attack. It can take less than two hours from the time a worker clicks on a phishing link to when an attacker gains full access to the user's inbox and is moving laterally through the network.
"This narrow time frame, coupled with the high technical skills and time required to perform the analysis, makes manually responding near impossible," Haik wrote.
Microsoft Defender 365 uses AI-based detection capabilities to correlate a range of extended detection and response (XDR) signals across endpoints, identities, email, and software-as-a-service (SaaS) applications to identify cyberattacks. There's also analysis identifying malicious activities, from credential theft and lateral movement to product tampering.
All this triggers the automatic attack disruption capability to disable the compromised user accounts in Active Directory and Azure AD and contain devices to ensure they can't communicate with a compromised machine.
"Automation is critical to scaling SOC teams' capabilities across today's complex, distributed, and diverse ecosystems," Microsoft wrote in a post in October 2022 when the feature was introduced at Ignite.
System admins can see what's happening through an "Attack Disruption" tag next to affected incidents in the Incident queue and, in the Incident page, an "Attack Disruption" tab, a yellow banner at the top of a page showing the automatic action that was taken, and an incident graph showing an asset's status, such as an account being disabled or a device contained.
Security teams also can customize how automatic attack disruption is configured and change an action via the Microsoft 365 Defender Portal. ®