Mar 29 2023 09:02 AM - edited Mar 30 2023 11:00 AM
For this episode, your opportunity to win a plush ninja cat is the following –
Explain what attack disruption means and one reason why it is critical to any organization.
This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14th, 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.
Mar 29 2023 09:21 AM
Mar 29 2023 09:28 AM
@HeikeRitter Really helpful to buy some time to investigate if attack has already started, as most of company dont have 24*7 SOC capability.
Mar 29 2023 09:33 AM
Hey @HeikeRitter , Hello!
Attack disruption to me is a mean to buy more time during an ongoing attack in order to:
1) Reach to the root cause and/or point of entrance of the attacker &/or
2) Prevent (& hopefully stop) the attacker from creating more havoc by breaking their series of attacks
Although the above points may have explained why it is crucial to any organization, the most important aspect of attack disruption is that it should be automated and in near-real time. It is critical for an organization to be prepared with a attack disruption playbook at all times and much better to employ tools like Defender which will know when to run the attack disruption playbook!
I hope the ninja cat is impressed by my answer and will come to me!! 😁
Mar 29 2023 11:13 AM
Mar 30 2023 12:04 AM - edited Apr 01 2023 12:38 AM
Hey @HeikeRitter : Attack disruption helps in containing a progressive attack from further expanding, this helps the analysts to have more time for taking remediation steps. Rather than blocking the IOC's - preventing or containing the limits of an adversary's expansion, - reduces the overall impact of an attack, both financially and in terms of production.
Best,
Praveen A
Mar 31 2023 01:53 AM
Hey @HeikeRitter!
Attack disruption is there to "hit the pause button" on an active attack detected by M365D, buying time for responders or hopefully even stopping damage entirely. The types of automation you we expect are device isolation (potentially stopping a device with ransomware from connecting to other devices) and account suspension (potentially stopping an attacker logging into a BEC-impacted identity).
The confidence it's not a false positive - and therefore why it can be automated - is driven by the correlation of signals across the different M365D pillars. For example, MDE alone raising an alert raises your interest; but correlation to other alerts (in the form of an incident) from MDI, MDO, etc is what really confirms the need to disrupt the chain of events.
The compelling thing about attack disruption in M365D is it's out-the-box nature. Organizations with greater resources may already have SIEM/SOAR with custom developed response playbooks, but this lowers the cost (resources, knowledge, staffing) for defenders by acting on their behalf.
Apr 05 2023 12:20 AM
Apr 06 2023 05:34 AM
Apr 17 2023 04:45 AM