Blog Post

Microsoft Defender for Endpoint Blog
3 MIN READ

Prevent compromised unmanaged devices from moving laterally in your organization with “Contain”

Yossi Basha's avatar
Yossi Basha
Icon for Microsoft rankMicrosoft
Jun 09, 2022

71% of human operated ransomware cases are initiated by an unmanaged device, usually internet facing, that is compromised and is then used to move laterally and compromise more devices. Starting today, when a device that is not enrolled in Microsoft Defender for Endpoint is suspected of being compromised, as a SOC analyst, you will be able to “Contain” it. As a result, any device enrolled in Microsoft Defender for Endpoint will now block any incoming/outgoing communication with the suspected device.


While devices enrolled in Microsoft Defender for Endpoint can be isolated to prevent bad actors from compromising other devices, responding to a compromised device not enrolled in Microsoft Defender for Endpoint can be a challenge for organizations today, especially where:

  • No Network Access Control enforcement means isolation of an IoT device requires physical access.
  • Locating the device and its owner may take time.
  • It takes time to close the loop between the SOC analyst identifying the threat and the network team/IT remediating the threat, meaning that in many cases the device may have already compromised others.

Microsoft has made significant efforts to create visibility into devices that are unknown to the organization,  https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909 and we’re happy to announce that we have added a new response action, that provides the ability to “Contain” devices that are not enrolled.

 

 

 

Fig. A – Contain device option in the device response action menu.

 

 

Fig. B – Illustration of enrolled Microsoft Defender for Endpoint devices blocking communication to/from an unmanaged device.

 

Note: Only devices running on Windows 10 and above will perform the Contain action meaning that only devices running Windows 10 and above that are enrolled in Microsoft Defender for Endpoint will block “contained” devices at this time. Please stay tuned as we continue to build out additional platform support for this feature in the future.

 

Additional information on how the Contain feature works:

 

  • If a contained device changes its IP address, then all devices enrolled in Microsoft Defender for Endpoint will recognize this change and start blocking communications with the new IP address. The original IP address will no longer be blocked (It may take up to 5 mins to see these changes).
  • The Role Based Access Control (RBAC) permissions required to contain devices are similar to device isolation. Any admin that can isolate a device can perform a “Contain” action
  • In cases where the contained device’s IP is used by another device on the network, there will be a warning while containing with a link to advanced hunting (with a prepopulated query). This will provide visibility to the other devices using the same IP to help you make a conscious decision whether or not to contain the device.
  • In situations where the contained device is a network device, a warning will appear with a message that this may cause network connectivity issues (for example, containing a router that is acting as a default gateway), at this point, you’ll be able to choose whether or not contain the device.

How to get started?
For detailed information on this capability, please visit our documentation.

Updated Jun 08, 2022
Version 1.0
  • TakashiVV's avatar
    TakashiVV
    Copper Contributor

    If I am a ransomware payloader, I look for devices that are always on.
    This is because even if managed, devices that operate without humans are more effective as a starting point for attacks.

  • jameslim's avatar
    jameslim
    Copper Contributor

    can i assume that one must first enable the ENDPOINTS, ADVANCE FEATURES, TURN ON DEVICE DISCOVERY first to have a list of unmanaged devices ? Then when an device is compromised, then the un-managed device can be "contained " ?

  • rfoppen's avatar
    rfoppen
    Copper Contributor

    Does this feature also work on Onboarded clients which are configured to run in Passive Mode 

  • AndrewX's avatar
    AndrewX
    Iron Contributor

    Haha that was exactly my first thought as well..  Where did you pull the 70% statistic from?

     

     I'm keen to read that research paper.

     

    A statistic like this almost implies that Asset Inventories are irrelevant.

  • Reza_Ameri's avatar
    Reza_Ameri
    Silver Contributor

    This is great improvement and really valuable feature.

    I am wondering do you have reference for "71% of human operated ransomware cases are initiated by an unmanaged device"?

    It is a valuable statement but when let say I want to share it, I need to cite and give a reference.

    You also mentioned it is for device running Windows 10 and above, I am wondering does it support all builds for the Windows 10 or only supported builds of Windows 10?