How to stop human-operated cyber attacks?

Author: Priit Timpson Time: 27.11.2023

As the security adage goes, it’s not a matter of if you’ll be breached, but a matter of when.

Ransomware is one of the most common human-operated attacks organizations face. In 2022, there were nearly 236.7 million ransomware attacks worldwide with the projected cost rising to 250 billion € annually by 2031. With increasing volume and impact of attacks like ransomware, security teams need the sophisticated automation of previously manual responses that attack disruption offers to effectively scale their defences.

* Human-operated ransomware attack is the result of an active attack by cybercriminals in person, that infiltrate an organization's on-premises or cloud IT infrastructure, elevate their privileges, and deploy ransomware to critical data.

Endpoint security requires a depth of defence through multiple protective layers and mechanisms such as patching vulnerabilities, using next-generation antivirus to neutralize threats at the perimeter, harnessing auto investigation and response to remediate at the individual device level and automatic attack disruption at the organization level to further limit the spread of an attack.

Security teams need every edge they can get in the fight against ransomware. Microsoft Defender for Endpoint customers are able to automatically disrupt human-operated attacks like ransomware early in the kill chain without needing to deploy any other capabilities. 

With Defender for Endpoint, organizations only need to onboard their devices to Defender for Endpoint and start realizing the benefits of attack disruption, bringing this extended detection and response (XDR) AI-powered capability within reach of even more customers.

Automatic attack disruption response uses signal across the Microsoft 365 Defender workloads (identities, endpoints, email, and software as a service [SaaS] apps) to disrupt advanced attacks with high confidence. Basically, if the beginning of a human-operated attack is detected on a single device, attack disruption will simultaneously stop the campaign on that device and inoculate all other devices in the organization. The adversary has nowhere to go.

Attack disruption achieves this outcome by containing compromised users across all devices to outmanoeuvre attackers before they have the chance to act maliciously, such as using accounts to move laterally, performing credential theft, data exfiltration, and encrypting remotely. 

This on-by-default capability will identify if the compromised user has any associated activity with any other endpoint and immediately cut off all inbound and outbound communication, essentially containing them. Even if a user has the highest permission level and would normally be outside a security control’s purview, the attacker will still be restricted from accessing any device in the organization. As a result of this decentralized protection, attack disruption has saved 91 percent of targeted devices from encryption attempts.

Automatic attack disruption is a capability that stops attacks at machine speed by using the correlation of cross-domain signal into one high-fidelity incident. Combined with automated incident and response capabilities, Microsoft 365 Defender is the only XDR platform that protects against ransomware attacks at the organizational and device levels.

In addition to ransomware, attack disruption covers the most prevalent, complex attacks including business email compromise and adversary-in-the-middle. These scenarios each involve a combination of attack vectors like endpoints, email, identities, and apps, posing a significant challenge for security teams to pinpoint where the attack is coming from. Most security vendors lack the high-fidelity signal to accurately identify if an attack is even happening, let alone can take disruption actions. Automatic attack disruption solves this problem by confidently detecting and disrupting at the attack source, giving defenders time to respond before the adversary can inflict damage.

More importantly, attack disruption’s effectiveness and coverage increases with every product that is integrated into Microsoft 365 Defender. While the majority of ransomware attacks happen on the endpoint, it’s important to deploy the entirety of the security stack across apps, identities, email, and collaboration to protect against prevalent scenarios like business email compromise, adversary-in-the-middle, and future scenarios. This enables organizations to benefit not only from disruption capabilities but all the rich features across the most critical security workloads.

Before, detecting these campaigns early posed significant challenges for security teams since adversaries typically perform activities disguised as normal user behaviour. And while other vendors may detect these attack techniques, only Microsoft 365 Defender can automatically disrupt them around the clock even when your security team might be offline. Backed by Microsoft’s breadth of signal and deep user behavioural analysis, security teams now possess a robust new tool to effortlessly stop sophisticated ransomware attackers at scale.

Microsoft Defender for Endpoint represents a vital weapon in the ongoing battle against ransomware, offering organizations a lifeline of defence at both the device and organizational levels. By leveraging high-fidelity signals and cross-domain correlations, automatic attack disruption detects and decisively halts threats, preventing cybercriminals from advancing their malicious agendas. The ability to neutralize attacks at machine speed, alongside the inclusion of business email compromise makes this technology a game-changer for cybersecurity.  It is a potent reminder that the landscape of digital defence is evolving, and organizations must harness every available edge to protect their assets and preserve their operations. 

For Small Business organizations Microsoft 365 Business Premium license is way to go to get protection with Defender for Office 365, Defender for Business, and Intune to have best protection solutions with attractive price for up to 300 users. For bigger organizations Microsoft 365 E3 or combinations with different licenses. For best licensing and protection solutions contact Primend and we will help with licenses, solutions, and deployment of protection workloads, so that your organization would be protected against wide variety of threats. 

Ask for an offer