71% of human operated ransomware cases are initiated by an unmanaged device, usually internet facing, that is compromised and is then used to move laterally and compromise more devices. Starting today, when a device that is not enrolled in Microsoft Defender for Endpoint is suspected of being compromised, as a SOC analyst, you will be able to “Contain” it. As a result, any device enrolled in Microsoft Defender for Endpoint will now block any incoming/outgoing communication with the suspected device.
While devices enrolled in Microsoft Defender for Endpoint can be isolated to prevent bad actors from compromising other devices, responding to a compromised device not enrolled in Microsoft Defender for Endpoint can be a challenge for organizations today, especially where:
- No Network Access Control enforcement means isolation of an IoT device requires physical access.
- Locating the device and its owner may take time.
- It takes time to close the loop between the SOC analyst identifying the threat and the network team/IT remediating the threat, meaning that in many cases the device may have already compromised others.
Microsoft has made significant efforts to create visibility into devices that are unknown to the organization, https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909 and we're happy to announce that we have added a new response action, that provides the ability to “Contain” devices that are not enrolled.
Fig. A – Contain device option in the device response action menu.
Fig. B – Illustration of enrolled Microsoft Defender for Endpoint devices blocking communication to/from an unmanaged device.
Note: Only devices running on Windows 10 and above will perform the Contain action meaning that only devices running Windows 10 and above that are enrolled in Microsoft Defender for Endpoint will block “contained” devices at this time. Please stay tuned as we continue to build out additional platform support for this feature in the future.
Additional information on how the Contain feature works:
- If a contained device changes its IP address, then all devices enrolled in Microsoft Defender for Endpoint will recognize this change and start blocking communications with the new IP address. The original IP address will no longer be blocked (It may take up to 5 mins to see these changes).
- The Role Based Access Control (RBAC) permissions required to contain devices are similar to device isolation. Any admin that can isolate a device can perform a “Contain” action
- In cases where the contained device's IP is used by another device on the network, there will be a warning while containing with a link to advanced hunting (with a prepopulated query). This will provide visibility to the other devices using the same IP to help you make a conscious decision whether or not to contain the device.
- In situations where the contained device is a network device, a warning will appear with a message that this may cause network connectivity issues (for example, containing a router that is acting as a default gateway), at this point, you'll be able to choose whether or not contain the device.