By NHI Mgmt Group Editorial TeamPublished 2026-01-28Domain: Cyber SecuritySource: Illumio

TL;DR: The Bank of England’s CBEST Thematic Report found weaknesses across infrastructure, identity and access, network security, detection and response, and staff awareness in UK financial institutions, showing that controls often fail when tested against real attack conditions, according to Illumio. Containment, not control volume, is the deciding variable when attackers can move laterally before defenders detect them.


At a glance

What this is: CBEST 2025 found that UK financial institutions still struggle to turn layered cyber controls into real-world resilience under attack pressure.

Why it matters: For IAM and security teams, the report shows that weak identity enforcement, over-permissioned access, and flat internal networks can collapse containment even when controls look sound on paper.

👉 Read Illumio's analysis of the CBEST 2025 cyber resilience findings


Context

CBEST is a threat-led testing regime that measures how controls behave under simulated attack, not how they look in policy documents. The report matters because it exposes where financial institutions still rely on assumptions about patching, identity enforcement, segmentation, and detection that do not hold in live environments.

The identity angle is direct: insecure password storage, poor service account governance, and weak administrator controls all helped attackers expand access once they were inside. For teams managing IAM, PAM, and NHI governance, the CBEST findings reinforce that access control only matters when it is consistently enforced across human and machine identities.


Key questions

Q: What breaks when identity controls are weak in a flat network?

A: Weak identity controls turn a single compromised account into a broad movement path when the internal network still trusts too much by default. If passwords, permissions, and service accounts are not tightly governed, attackers can escalate privileges and reach critical systems before detection has enough time to work.

Q: Why do service accounts with standing privilege increase lateral movement risk?

A: Service accounts often connect multiple systems and run with permissions that outlast any one task. When those privileges remain standing, attackers who steal the account can reuse that reach to move across environments, impersonate trusted activity, and expand the breach with less friction than a human user account would create.

Q: How do security teams know whether containment controls are working?

A: Containment controls are working only if a compromised account cannot quickly reach critical systems, production workloads, or sensitive data paths. The practical signal is not the number of alerts generated, but whether segmentation, access boundaries, and monitoring can stop movement before the attacker crosses multiple trust zones.

Q: Who is accountable when weak identity governance helps an attacker spread?

A: Accountability usually sits with the teams that own identity policy, access engineering, network segmentation, and operational monitoring, because containment failure is cross-functional. In regulated environments, that also means governance teams must be able to show that access boundaries, privileged accounts, and detection controls were tested, not just documented.


Technical breakdown

Why lateral movement defeats perimeter-first security

Lateral movement is the stage where an attacker uses one compromised system or credential to reach others inside the environment. In CBEST-style testing, the problem is not initial compromise alone, but the ability to reuse trust relationships between workloads, users, and administrative paths. Flat networks, excessive service reachability, and weak separation between development and production all give attackers room to expand without triggering immediate resistance. Once an internal trust path exists, traditional perimeter controls and patch status cannot contain the spread on their own.

Practical implication: Practitioners need internal segmentation and explicit communication controls, not just edge defenses and endpoint tooling.

How weak identity and access control amplifies breach impact

Identity controls failed in CBEST because permissions, passwords, and account handling were not enforced tightly enough to stop escalation. Weak password discipline, plaintext storage, and excessive permissions made administrator and service accounts attractive targets. This is the classic identity governance problem: policy exists, but operational discipline is inconsistent. When human and non-human identities have standing permissions that exceed task need, one stolen account can become a platform for deeper access. In financial services, that turns identity from a control plane into an attack path.

Practical implication: Teams should treat administrator and service account governance as a containment control, not an administrative routine.

Why detection and response miss the real signal

CBEST found that attacks often blended into normal traffic because monitoring was too weak, tuning was too generic, or outbound activity from unmonitored devices went unnoticed. Endpoint detection and response can spot some hostile behaviors, but it cannot reliably stop an attacker moving laterally with valid credentials if the network design still trusts too much by default. That means detection quality is inseparable from architecture. If east-west traffic is opaque and internal trust is broad, alerts arrive after the attacker has already traversed the environment.

Practical implication: Security teams should align EDR, traffic inspection, and segmentation so that detection and containment reinforce each other.


Threat narrative

Attacker objective: The objective is to expand access quietly inside the environment, reach critical services, and limit the defender’s ability to contain or recover from the intrusion.

  1. Entry typically begins through stolen credentials, weak password enforcement, or socially engineered access paths that let the attacker obtain a foothold in a live environment.
  2. Escalation follows when administrator or service account permissions are too broad, allowing the attacker to raise privileges and move laterally across connected systems.
  3. Impact occurs when the attacker reaches critical services, exfiltrates data, or disrupts operations before monitoring and response can contain the spread.

NHI Mgmt Group analysis

CBEST is really a test of containment maturity, not control inventory. Financial institutions often have many of the right tools on paper, yet attackers still move laterally once inside. That gap shows that resilience depends on whether internal trust is bounded in practice, not on how many defensive layers exist. For banking and FMI environments, containment has become the real measure of cyber resilience.

Weak identity enforcement turns IAM into an escalation path. The report’s findings on passwords, plaintext storage, and over-permissioned administrator and service accounts show that identity governance is only effective when it constrains movement, not just access requests. This is where NHI governance matters as much as human IAM, because service accounts and privileged automation often sit on the same trust paths as users. Practitioners should treat every standing credential as a potential breach amplifier.

Cyber fragility in financial services is increasingly a design problem. The report shows that segmentation, traffic inspection, and access boundaries were too porous to contain simulated attackers. That means the field should stop treating detection as the primary answer to breach spread. A resilient architecture limits what can be reached even when identity or endpoint controls fail.

Detection quality does not compensate for excessive implicit trust. CBEST found that attackers could hide in normal-looking traffic and use built-in tools without triggering timely alarms. That is a governance failure as much as a tooling failure, because alerting only works when the environment already enforces narrow trust zones. Practitioners should measure whether internal communications are constrained enough to make malicious movement visible.

Containment debt is the specific failure mode this report exposes. The term captures the accumulation of flat networks, broad permissions, weak account hygiene, and under-tuned detection that lets a small compromise become a systemic event. This is directly relevant to identity governance because the same trust assumptions that weaken IAM also weaken NHI and privileged access control. Teams should map their own containment debt before an attacker does.

What this signals

Containment debt will become a board-level measurement problem. Financial institutions that continue to treat segmentation and identity controls as separate workstreams will struggle to prove resilience under threat-led testing. The practical shift is toward measuring how many internal trust boundaries a compromise can cross before control intervention, with reference to NIST Cybersecurity Framework 2.0 and internal architecture reviews.

Service account governance needs to sit inside resilience planning. CBEST-style findings show that privileged machine and human identities both contribute to breach spread when trust is too broad. That means renewal cycles, credential storage, and offboarding discipline for non-human identities need to be evaluated alongside IAM and PAM controls, not as a separate hygiene task.

The organisations most exposed will be the ones that can detect an event but still cannot stop movement from an initial compromise into critical services. The next maturity step is to combine network inspection, EDR tuning, and identity enforcement so that lateral movement becomes difficult to sustain rather than merely easier to observe.


For practitioners

  • Audit standing privilege across human and service accounts Identify accounts with persistent access to critical services, then remove broad permissions that are not tied to current operational need. Prioritise administrator and service accounts that can traverse multiple environments without additional checks.
  • Segment internal communications around critical services Separate development, production, and high-value systems so a single compromised endpoint cannot reach everything by default. Use explicit allow lists for east-west traffic and review any path that still relies on implicit trust.
  • Tighten credential handling and storage Eliminate plaintext password storage, spreadsheet-based credential sharing, and ad hoc help desk verification paths. Replace them with controlled vaulting, stronger identity checks, and lifecycle rules for privileged access.
  • Tune detection for credential misuse and lateral movement Build alert logic for built-in administrative tooling, unusual account reach, and outbound activity from devices that should not be talking externally. Validate that EDR and network monitoring can spot the behaviours CBEST exercises exposed.
  • Measure containment, not just prevention Run exercises that test whether a compromised account can move from first touch to critical systems before defenders intervene. Track how many trust boundaries an attacker can cross and how long those paths remain open.

Key takeaways

  • CBEST 2025 shows that many financial institutions still have a containment problem, not just a detection problem.
  • Weak identity enforcement, broad internal trust, and poor account hygiene create the conditions for lateral movement to spread before alerts fire.
  • Banks and FMIs need to measure whether a compromise can cross internal trust zones, because that is where real resilience is won or lost.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0004 , Privilege Escalation; TA0006 , Credential Access; TA0008 , Lateral MovementThe report centers on credential misuse and lateral movement after initial compromise.
NIST CSF 2.0PR.AC-4The article highlights weak access governance and excessive permissions.
NIST SP 800-53 Rev 5AC-6Least privilege is directly implicated by over-permissioned accounts and lateral movement.
CIS Controls v8CIS-5 , Account ManagementCredential storage, account hygiene, and privileged account discipline are central issues here.
NIST Zero Trust (SP 800-207)3.1Internal trust and segmentation failures align with zero trust principles.

Map internal movement paths to ATT&CK and prioritise controls that block privilege escalation and lateral spread.


Key terms

  • Containment Debt: The accumulated gap between the controls an organisation believes it has and the boundaries it can actually enforce during an attack. In practice, it shows up as flat networks, broad permissions, weak account hygiene, and monitoring that cannot stop spread once an attacker is inside.
  • Lateral Movement: The process of using one foothold to reach additional systems inside an environment. Attackers rely on trust relationships, reused credentials, and over-permissioned accounts to move quietly from low-value entry points to critical services, making containment and segmentation essential.
  • Threat-Led Testing: A method of testing security controls by simulating realistic attacker behaviour rather than checking policy compliance alone. It is useful because it reveals how systems behave under pressure, where identity controls fail, and whether detection and containment can work in live conditions.
  • Standing Privilege: Access that remains available beyond the immediate task or session that needs it. Standing privilege increases exposure because stolen or misused credentials already have reach, which shortens the time defenders have to respond and makes escalation and lateral movement easier.

What's in the full article

Illumio's full blog covers the operational detail this post intentionally leaves for the source:

  • A deeper walkthrough of how CBEST findings map to breach containment architecture across banking environments.
  • Specific examples of how Illumio positions segmentation against lateral movement in live corporate networks.
  • Additional explanation of the interplay between EDR, monitoring, and internal traffic boundaries.
  • More detail on why the article argues that breach containment should be treated as a resilience control.

👉 Illumio's full blog adds the detailed containment argument and the specific resilience gaps CBEST exposed.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps security practitioners connect identity controls to the operational containment problems that show up in real environments.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-01-28.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org