Update Prevent Compromised Unmanaged Devices from Moving Laterally

upnorth

Moderator
Thread author
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,944
71% of human operated ransomware cases are initiated by an unmanaged device, usually internet facing, that is compromised and is then used to move laterally and compromise more devices. Starting today, when a device that is not enrolled in Microsoft Defender for Endpoint is suspected of being compromised, as a SOC analyst, you will be able to “Contain” it. As a result, any device enrolled in Microsoft Defender for Endpoint will now block any incoming/outgoing communication with the suspected device.

While devices enrolled in Microsoft Defender for Endpoint can be isolated to prevent bad actors from compromising other devices, responding to a compromised device not enrolled in Microsoft Defender for Endpoint can be a challenge for organizations today, especially where:
  • No Network Access Control enforcement means isolation of an IoT device requires physical access.
  • Locating the device and its owner may take time.
  • It takes time to close the loop between the SOC analyst identifying the threat and the network team/IT remediating the threat, meaning that in many cases the device may have already compromised others.