Microsoft Defender now auto-isolates hacked endpoints

▼ Summary
– Microsoft Defender for Endpoint now has a preview feature that automatically isolates compromised endpoints to prevent lateral movement, disconnecting them from the network but maintaining connection to the Defender service for monitoring.
– Automatic isolation is part of the automatic attack disruption feature, designed to contain attacks, limit impact, and give security teams more remediation time.
– The feature works only on onboarded end-user workstations managed by Microsoft Defender for Endpoint, and devices can be released from isolation by security operators after investigation.
– In June 2022, Microsoft enabled manual isolation of unmanaged Windows devices, and in October 2023, isolation support reached general availability for onboarded Linux devices.
– Recent preview features also include automatic blocking of traffic to undiscovered Windows endpoints and scheduling antivirus scans on Linux systems via the Microsoft Defender portal.
Microsoft is currently trialing a new capability within Microsoft Defender for Endpoint that will automatically isolate compromised endpoints, effectively cutting off attackers before they can move laterally across the network. This feature is now available in preview and operates as part of the platform’s automatic attack disruption toolset, which is designed to contain threats, minimize damage, and give security teams more time to respond.
When an endpoint is flagged as compromised and automatically isolated, it gets disconnected from the network to limit further harm. However, it still maintains a connection to the Defender for Endpoint service, which continues to monitor the device for ongoing activity.
“When a device in your organization is suspected to be compromised, Microsoft Defender for Endpoint can automatically isolate the device as part of automatic attack disruption,” Microsoft explained. “Automatic isolation helps reduce the risk of further impact on the organization, limit attacker lateral movement, and prevent impacts such as data exfiltration and ransomware propagation.”
This automatic isolation feature currently applies only to onboarded end-user workstations managed by Defender for Endpoint. Security operators can also lift the containment at any time after completing their incident investigation and addressing the associated risks. To release a device, they simply select it from the “Device inventory” or open the device page and choose “Release from isolation” from the action menu.
This development builds on earlier enhancements. Back in June 2022, Microsoft announced that administrators could manually contain compromised, unmanaged Windows devices by blocking all incoming and outgoing communication with onboarded Defender for Endpoint endpoints. Then, in January 2023, the company began testing device isolation support for Linux devices, which reached general availability in October of that same year. That month also saw the introduction of automatic isolation for compromised user accounts as part of attack disruption, targeting lateral movement in hands-on-keyboard ransomware attacks.
More recently, Microsoft started testing another new feature for the Defender for Endpoint platform that automatically blocks traffic to and from undiscovered Windows endpoints, preventing attackers from breaching other non-compromised devices on the network. And earlier this month, the company revealed a preview feature that allows administrators to schedule antivirus scans on onboarded Linux systems using the Microsoft Defender portal, the mdatp managed JSON configuration, or the mdatp command-line tool. “Scheduled scans support daily quick scans, interval-based quick scans, and weekly full scans, with options for low-priority execution, idle-time scheduling, and randomized start times,” Microsoft noted.
(Source: BleepingComputer)




