Security News > 2022 > June > Microsoft helps prevent lateral movement from compromised unmanaged devices

A new feature in Microsoft Defender for Endpoint can make it more difficult for attackers to perform lateral movement within company networks, as it allows admins to prevent traffic flowing to and from unmanaged devices that have been compromised.

"While devices enrolled in Microsoft Defender for Endpoint can be isolated to prevent bad actors from compromising other devices, responding to a compromised device not enrolled in Microsoft Defender for Endpoint can be a challenge for organizations today," noted Yossi Basha, Principal Product Manager, M365 Defender at Microsoft.

Not enrolled devices may include printers, various IoT devices, and even networking devices - although, as Microsoft warns, containing the latter may cause problems.

"This action can help prevent neighboring devices from becoming compromised while the security operations analyst locates, identifies, and remediates the threat on the compromised device," Microsoft adds.

A current limitation of the feature is that blocking incoming and outgoing communication with a "Contained" device can only be performed on onboarded Microsoft Defender for Endpoint Windows 10 and Windows Server 2019+ devices - though the company is working on building out additional platform support.

If a contained device changes its IP address, all Microsoft Defender for Endpoint onboarded devices will recognize this and start blocking communications with the new IP address within 5 minutes.

News URL

https://www.helpnetsecurity.com/2022/06/13/microsoft-prevent-lateral-movement/