By NHI Mgmt Group Editorial TeamPublished 2026-01-27Domain: Cyber SecuritySource: ColorTokens

TL;DR: Recent incidents across healthcare, finance, and connected infrastructure show attackers lingering for weeks, moving laterally, and turning trusted internal paths into outage and data-loss events, with one browser operation infecting more than 8.8 million users, according to ColorTokens. The core lesson is that containment, not just detection, determines whether a breach becomes a service shutdown.


At a glance

What this is: This threat advisory argues that lateral movement, not initial access, is the point where healthcare and connected infrastructure incidents become operational crises.

Why it matters: For IAM, PAM, NHI, and security teams, the message is that standing trust and broad internal reach let compromised credentials or footholds turn into downtime, data exposure, and recovery delays.

👉 Read ColorTokens' threat advisory on when hospitals went dark and browsers turned rogue


Context

Lateral movement is the stage where an attacker uses whatever access they already have to travel through connected systems, and that is where many breaches become business-critical. In healthcare and other high-availability environments, the security problem is not only entry, but how long an attacker can stay trusted once inside.

This matters to identity programmes because movement across internal systems is usually governed by credentials, service accounts, and implicit trust between applications. Where those identities are over-permissioned or insufficiently segmented, a single compromise can expand into operational disruption, which is why containment belongs alongside authentication and monitoring in the control model.


Key questions

Q: What fails when attackers can move laterally inside healthcare networks?

A: What fails first is the assumption that internal access is trustworthy. Once an attacker can reuse valid paths between systems, detection alone is too late to prevent service disruption, backup compromise, or data exposure. The control gap is usually broad internal reach, which is why containment and privilege scope matter as much as perimeter defence. See also the 52 NHI Breaches Report for related compromise patterns.

Q: Why do service accounts and shared credentials increase breach impact?

A: Service accounts and shared credentials often have broader reach than individual users, so a single compromise can unlock many systems before anyone notices. That increases attacker mobility and makes incident response slower. Organisations should minimise shared access, scope each identity tightly, and review whether non-human identities can move between unrelated environments. The Salesloft OAuth token breach is a useful example of token abuse expanding blast radius.

Q: How can security teams know if containment controls are actually working?

A: They should test whether an initial foothold can reach critical systems, not just whether alerts fire. Useful signals include blocked east-west traffic, failed attempts to use unrelated service accounts, and reduced reachable surface during an exercise. If an attacker can still pivot across segments after discovery, containment is not effective enough. The 52 NHI Breaches Analysis is a useful benchmark for repeated failure patterns.

Q: Who is accountable when lateral movement leads to downtime and data loss?

A: Accountability usually sits across security, infrastructure, IAM, and operations because lateral movement exploits trust paths owned by all of them. Security teams own detection and containment, IAM owns privilege scope and credential lifecycle, and operations owns segmentation and recovery design. Frameworks such as NIST CSF and NIST SP 800-53 both support this shared responsibility model.


Technical breakdown

How lateral movement turns a foothold into operational outage

Lateral movement occurs when an attacker uses one compromised system, account, or trusted channel to reach another. In flat or weakly segmented environments, internal authentication and open network paths let the attacker pivot with little resistance. That is why dwell time matters: every additional day increases the chance of reaching clinical systems, file shares, backups, or third-party connections. In healthcare, the real damage often comes from the attacker’s ability to traverse trusted boundaries after initial compromise, not from the first infection itself.

Practical implication: isolate critical workloads and reduce trust paths so one compromised host cannot reach the rest of the environment.

Why misused identities extend attacker reach

Once attackers obtain valid credentials, they often look like legitimate traffic to internal systems. Service accounts, shared logins, and over-broad application permissions are especially useful because they can unlock multiple systems without triggering obvious failures. This is where IAM and PAM intersect with incident containment: if identities remain valid across many systems, the attacker can keep moving even after the original entry point is discovered. In healthcare environments, that creates a direct path from a single foothold to patient systems and operational disruption.

Practical implication: tighten privilege scope, remove shared access, and validate that non-human identities cannot traverse unrelated systems.

Microsegmentation as a containment control, not just a network design choice

Microsegmentation limits which workloads, users, and services can talk to one another, turning east-west movement into a controlled exception rather than an assumed default. It is especially relevant where legacy systems, medical devices, or third-party platforms must coexist with modern infrastructure. The key idea is not perfect isolation, but deliberate choke points that slow or stop attacker progress. In breach conditions, containment buys time, keeps recovery bounded, and prevents a compromise from becoming an enterprise-wide shutdown.

Practical implication: map critical paths and enforce default-deny rules between high-value segments.


Threat narrative

Attacker objective: The attacker’s objective is to expand a single compromise into broad operational disruption, data exposure, and a slower recovery cycle.

  1. Entry began with an initial compromise inside a connected environment, after which the attacker established a foothold that could be used to probe trusted internal paths.
  2. Escalation happened through continued internal movement, with valid access and open pathways allowing the attacker to reach additional systems without immediate containment.
  3. Impact followed when the attacker’s reach extended into operational environments, causing service disruption, cancelled procedures, and prolonged recovery efforts.

NHI Mgmt Group analysis

Lateral movement is the control failure that converts a security incident into an availability incident. The article shows that once attackers can move between internal systems, the question stops being whether intrusion occurred and becomes how far operations are disrupted. That is a containment problem, not just a detection problem. In identity terms, the root issue is that trust persists after compromise, which is why segmentation and privilege scope must be treated as first-class controls.

Standing internal trust is the named concept this report exposes. Internal systems continue to authenticate one another, even when the source of trust has already been compromised. That creates a governance gap where credentials remain valid long enough for attackers to exploit them at scale. Practitioners should treat every persistent trust relationship as a potential blast-radius multiplier.

Healthcare resilience now depends on identity-aware containment, not perimeter assumptions. The report’s examples show that email, browsers, vendors, IoT, and core systems can all become movement paths once inside trust is established. This aligns with OWASP-NHI thinking as well as microsegmentation principles in broader security architecture. The practical conclusion is that programmes need to map which identities and pathways can actually move laterally, then narrow them before an incident tests the design.

Third-party and platform connectivity make lateral movement a governance issue, not just an operations issue. When shared services and vendor-connected environments are in play, a breach in one domain can quickly affect another organisation’s availability and data exposure. That pushes identity governance into the centre of resilience planning. Practitioners should review cross-domain access and recovery assumptions together, rather than as separate teams or separate plans.

Detection without containment still leaves organisations exposed to prolonged dwell time. The cases described in the advisory show that attackers can remain active long enough for damage to accumulate even when alerts eventually arrive. That means response metrics should include how quickly east-west movement is restricted after detection, not only how quickly the first alert fires. The field should measure containment speed as a core security outcome.

What this signals

Standing trust is the real resilience problem. Once an attacker can reuse internal identities and routes, the programme’s security posture is measured by how quickly movement is blocked, not how quickly the first alert arrives. That shifts priority toward segmentation, tighter identity scope, and recovery design that assumes the attacker is already inside.

The most useful operational metric is reachable blast radius, not just incident count. If a compromised account or foothold can still reach critical workloads, then the environment has not meaningfully reduced attack surface. Teams should validate this against identity lifecycle controls and map high-risk trust paths before the next disruption tests them.

Healthcare and connected infrastructure now need containment controls that are explicitly identity-aware. Service accounts, vendor access, and application-to-application trust can all become lateral movement channels, so the programme must align IAM, PAM, and network segmentation rather than treating them as separate workstreams.


For practitioners

  • Map east-west trust paths Identify which workloads, shared services, and non-human identities can talk to one another without a business need, then remove every unnecessary route across critical segments.
  • Constrain non-human identities to task scope Review service accounts, tokens, and application credentials to ensure they cannot authenticate beyond the systems they were created for, especially in clinical and recovery environments.
  • Default-deny internal movement Use microsegmentation to block broad lateral traffic and allow only the ports, protocols, and destinations required for specific services and workflows.
  • Test containment before the next incident Run exercises that assume an attacker is already inside and measure whether segmentation, privilege restrictions, and isolation controls actually stop progression.

Key takeaways

  • The article shows that lateral movement, not initial compromise, is what turns a breach into a shutdown.
  • Extended dwell time and trusted internal access give attackers the reach needed to disrupt care, payments, and recovery.
  • Identity scope and containment controls are the practical levers that limit how far a compromise can spread.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0008 , Lateral Movement; TA0040 , ImpactThe article centres on lateral movement leading to outage and disruption.
NIST CSF 2.0PR.AC-4The advisory highlights excessive internal trust and weak access restrictions.
NIST SP 800-53 Rev 5AC-4Information flow control is central to stopping east-west spread.
CIS Controls v8CIS-12 , Network Infrastructure ManagementNetwork segmentation and traffic control are the core defensive theme.
NIST Zero Trust (SP 800-207)Zero Trust principles fit the article’s assumption-breach containment model.

Map internal pivot paths to ATT&CK and close the routes that let one foothold reach critical systems.


Key terms

  • Lateral Movement: Lateral movement is the stage of an intrusion where an attacker uses one compromised asset to reach others inside the environment. It usually relies on valid credentials, open network paths, or trusted application relationships, and it is often the point where a contained incident becomes an enterprise-wide problem.
  • Microsegmentation: Microsegmentation is the practice of dividing environments into smaller trust zones and limiting traffic between them to what is explicitly required. In breach containment, it reduces the attacker’s ability to pivot after initial compromise and can materially shrink the blast radius of a security incident.
  • Blast Radius: Blast radius is the amount of damage an attacker can cause after gaining initial access. It is shaped by privilege scope, network reach, identity trust, and segmentation quality, and it is a more useful resilience measure than raw alert volume when assessing containment maturity.
  • Standing Trust: Standing trust is the condition in which systems, applications, or identities continue to trust one another by default over time. When that trust is not tightly scoped or revalidated, a single compromise can spread much farther than the original foothold, especially in flat or highly connected environments.

What's in the full article

ColorTokens' full threat advisory covers the incident timelines, indicators, and sector-by-sector operational detail this post intentionally leaves at a higher level:

  • Timeline breakdowns showing how long attackers remained active in each named healthcare case
  • Specific indicators and behaviours used to distinguish early intrusion from later lateral movement
  • Sector comparisons across healthcare, finance, and connected infrastructure to show where blast radius expands fastest
  • Technical recommendations for segmenting medical devices, IoT systems, and shared platforms

👉 ColorTokens' full advisory covers the incident timelines, affected sectors, and containment recommendations in more operational detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect identity controls to containment, lifecycle discipline, and operational resilience.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-01-27.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org