TL;DR: Attackers are reaching lateral movement in 29 minutes on average, with 82% of detections now malware-free and 90% of ransomware breaches involving RDP abuse, according to CrowdStrike, CrowdStrike, and Sophos. The real control problem is not detection alone but restricting east-west paths so a foothold cannot become enterprise-wide compromise.
At a glance
What this is: This is an analysis of nine lateral movement techniques attackers use after initial access, with network-level containment framed as the decisive control gap.
Why it matters: It matters because identity and access teams must understand how stolen credentials, remote admin tools, and trusted protocols let attackers turn one compromised system into broad internal access.
By the numbers:
- 29 minutes : Average eCrime breakout time from initial access to lateral movement, 65% faster than the prior year (CrowdStrike 2026 Global Threat Report)
- 82% : Percentage of detections that are malware-free, with attackers using valid credentials and trusted tools (CrowdStrike 2026 Global Threat Report)
- 90% : Percentage of ransomware breaches involving RDP abuse (Sophos 2024 Active Adversary Report)
- 30% : Data breaches involving a third-party vector, double the prior year (Verizon 2025 DBIR)
👉 Read Elisity's analysis of nine lateral movement techniques and containment paths
Context
Lateral movement is the stage where an attacker stops being a single compromised endpoint problem and becomes a network-wide identity problem. Once a phished credential, exposed remote access path, or compromised vendor connection lands an adversary inside, the question is no longer whether they got in, but how far their access can spread.
That makes lateral movement a direct concern for IAM, PAM, and identity architecture teams, not just network defenders. The article’s central claim is that internal trust assumptions, broad east-west access, and over-permissive admin paths are what let one foothold turn into domain-wide impact.
The technical issue is simple in plain English: if too many systems can talk to too many other systems, an attacker only needs one valid path to start moving. Identity-aware segmentation, constrained admin pathways, and service-specific access scoping are what change the attacker’s math.
Key questions
Q: What breaks when lateral movement paths are not tightly controlled?
A: When east-west access is too broad, one compromised credential can reach many systems without needing new exploits. Valid admin tools, remote service channels, and trusted protocols then become the attacker’s transport layer. The result is faster spread, harder containment, and a much larger blast radius than the original foothold suggests.
Q: Why do attackers prefer lateral movement over noisy exploit chains?
A: Lateral movement often uses legitimate credentials and trusted tools, which makes it blend into normal administration. That reduces detection pressure and increases speed. If an environment allows broad SMB, RDP, SSH, or PowerShell reach, attackers can move with very little friction after the first compromise.
Q: How do security teams know whether segmentation is actually reducing risk?
A: They should measure whether compromised identities can still reach sensitive tiers, admin ports, and third-party entry points. If a workstation or service account can still initiate unnecessary internal sessions, segmentation is cosmetic. The right signal is whether attack paths have been removed, not whether the network is neatly drawn.
Q: Who is accountable when compromised vendor access becomes internal movement?
A: The accountable teams are the ones that own third-party access governance, internal segmentation policy, and privileged path approval. Vendor access should not be treated as a one-time onboarding task. If the path remains open after the business need ends, the accountability gap is internal, not external.
Technical breakdown
Pass-the-hash and credential replay across internal networks
Pass-the-hash is a lateral movement technique where attackers use stolen NTLM hashes as proof of identity without recovering the plaintext password. Because the hash itself can satisfy authentication, compromise of one workstation can become reuse on other systems if SMB or WMI paths remain open. This is an identity problem that becomes a routing problem. The attacker does not need to defeat authentication everywhere, only to find reachable systems that will accept the replayed credential.
Practical implication: restrict SMB and WMI connectivity by device identity so a captured hash cannot traverse the internal network.
RDP abuse and interactive remote admin sessions
Remote Desktop Protocol abuse gives an attacker a full interactive session once they obtain valid credentials or brute-force a weak login. Unlike a stealthier exploit, RDP provides the same GUI surface legitimate admins use, which makes the session both powerful and hard to distinguish from normal operations. If RDP is broadly available across the environment, the attacker can pivot quickly from the first foothold to high-value systems without needing an exploit chain.
Practical implication: limit RDP to specific admin workstations and approved targets, and block all other east-west RDP paths.
PsExec, PowerShell, and living-off-the-land movement
PsExec and PowerShell remoting are common because they use legitimate administration channels rather than malware-heavy delivery. PsExec pushes a service binary over SMB and executes it remotely, while PowerShell remoting can run commands across hosts that already trust the initiating system. Attackers prefer these methods because they blend into normal admin traffic. The architectural weakness is not the tool itself but the absence of policy on which systems may use it, to which destinations, and over which paths.
Practical implication: allow remote administration only from designated management systems and deny workstation-to-workstation execution paths by policy.
Threat narrative
Attacker objective: The objective is to expand a single foothold into broad internal control so the attacker can deploy ransomware, steal data, or persist across multiple systems.
- Entry occurs through a phished credential, exposed remote access port, or compromised vendor connection that gives the attacker a valid internal foothold.
- Escalation begins when the attacker reuses trusted credentials or administration protocols such as SMB, RDP, PsExec, SSH, WMI, or PowerShell remoting to reach adjacent systems.
- Impact follows when the attacker chains those movements into broad internal compromise, ransomware deployment, or domain-wide access to sensitive systems and data.
Breaches seen in the wild
- MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
- TruffleNet BEC Attack — Stolen AWS Credentials — TruffleNet BEC campaign compromises 800+ hosts using stolen AWS credentials for business email compromise.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Lateral movement is an identity failure before it is a network failure. The article is right to focus on east-west reach, but the deeper issue is that too many internal architectures still assume any authenticated internal session is trustworthy enough to move. That assumption fails once a single credential, admin path, or vendor connection is compromised. The practical conclusion is that internal trust must be treated as conditional, not implied.
Identity blast radius is the better control lens than perimeter defense. Lateral movement techniques all depend on what the compromised subject can still reach after initial access. If a workstation can touch servers, management ports, and admin shares broadly, the attack surface is already mapped for the adversary. Practitioners should think in terms of blast radius per identity, not just segmentation by subnet.
Standing administrative reach is what attackers monetise fastest. PsExec, RDP, WMI, and SSH all become breach accelerants when broad admin connectivity is available by default. The issue is not that these protocols are unsafe in isolation, but that they are often authorised too widely and too persistently. That creates a durable movement layer that attackers can exploit with valid credentials.
Third-party access becomes a lateral movement problem when vendor paths are not scoped tightly. The article notes compromised vendor connections as an initial foothold, which is exactly where NHI and access governance intersect with network containment. If third-party access is not time-bound, path-bound, and device-bound, it becomes a bridge into the internal estate. Security teams should treat vendor connectivity as an identity boundary, not a convenience feature.
Microsegmentation only works when it is aligned to real identity and protocol behaviour. Broad VLANs do not stop attacker movement because they mirror organisational convenience rather than attack paths. A meaningful policy model has to distinguish which identities may initiate SMB, RDP, SSH, or PowerShell remoting, and under what conditions. That is an identity governance decision expressed in network terms.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
- For a deeper breach lens, compare that pattern with The 52 NHI breaches Report, which maps real-world identity failures across service accounts, secrets, and access governance.
What this signals
Identity blast radius: lateral movement is best managed as a policy problem that follows identity, not just a detection problem that follows traffic. If internal admin paths remain broad, the attacker’s job is already half done before the SOC sees anything. The architectural priority is to remove unnecessary east-west privileges before an incident tests them.
The practical implication for IAM and PAM programmes is that privileged access cannot be judged only at the point of issuance. It also has to be judged by what the identity can still reach after compromise, especially across SMB, RDP, SSH, and vendor pathways. That shifts the programme from entitlement review to path review.
A useful benchmark from our research is that 72% of organisations have experienced or suspect a breach of non-human identities, which reinforces the scale of identity exposure across modern estates. The forward signal is clear: internal segmentation, credential governance, and lifecycle control now have to be designed together rather than handed off to separate teams.
For practitioners
- Map east-west admin paths by identity Inventory which devices, service accounts, and admin workstations can initiate SMB, RDP, SSH, WMI, and PowerShell remoting today. Treat any path that is not explicitly required as an attack path and remove it from policy.
- Constrain remote administration to dedicated management endpoints Require remote tools such as PsExec, RDP, and PowerShell remoting to originate only from approved management systems. Deny workstation-to-workstation administration paths unless there is a documented operational exception.
- Scope vendor connectivity as a temporary identity boundary Bind third-party access to specific systems, specific time windows, and specific protocols. Offboard vendor paths as aggressively as you would credentials, because compromised vendor access is a direct lateral movement entry point.
- Use identity-aware segmentation to cap blast radius Segment by who or what is communicating, not just where traffic sits on the network. Build policies that block unauthorized SMB, RDP, and SSH flows even when credentials are valid.
Key takeaways
- Lateral movement is the phase that turns isolated compromise into enterprise-wide impact, so internal trust assumptions matter as much as perimeter controls.
- The article’s evidence shows attackers increasingly rely on valid credentials and trusted admin tools, which makes broad east-west access a structural weakness.
- The control that changes the outcome is identity-aware segmentation that limits which identities can reach which systems, over which protocols, and for how long.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement | The article centers on credential reuse and lateral movement techniques. |
| NIST CSF 2.0 | PR.AC-4 | Identity-aware access control is the core defensive theme here. |
| NIST SP 800-53 Rev 5 | AC-4 | Information flow enforcement directly matches microsegmentation controls. |
| NIST Zero Trust (SP 800-207) | The post aligns with continuous verification and no implicit internal trust. | |
| CIS Controls v8 | CIS-6 , Access Control Management | The article is fundamentally about controlling who can reach what internally. |
Map exposed internal paths to TA0006 and TA0008, then remove unnecessary routes between compromised and sensitive systems.
Key terms
- Lateral Movement: Lateral movement is the phase of an intrusion where an attacker shifts from the first compromised system to other systems inside the environment. It succeeds when internal trust, broad connectivity, or reused credentials let one foothold become many. The goal is usually access expansion, persistence, or staging for impact.
- Identity-aware Segmentation: Identity-aware segmentation is the practice of restricting internal traffic based on verified identity, role, or device posture rather than only on network location. It reduces attack paths by deciding which subjects may initiate specific protocols to specific destinations. For lateral movement, this is a containment control, not just a design preference.
- Living-off-the-land Technique: A living-off-the-land technique uses legitimate administration tools and built-in system functions to carry out attacker actions. Because these tools are normal parts of IT operations, the activity can blend into everyday traffic unless policy and telemetry distinguish approved use from abuse. In lateral movement, that makes trust boundaries critical.
- Blast Radius: Blast radius is the amount of damage a compromised identity, host, or control failure can spread across the environment. In practice it is defined by reachable systems, available protocols, and persistence of privilege. Lowering blast radius means reducing what an attacker can touch after the first compromise.
What's in the full article
Elisity's full blog covers the operational detail this post intentionally leaves for the source:
- The article walks through all nine lateral movement techniques with ATT&CK mappings and network-level defence examples.
- It gives protocol-specific containment guidance for SMB, RDP, SSH, WMI, and PowerShell remoting.
- It explains how to design segmentation policies around device identity, not just network location.
- It includes practical examples of what to block, what to allow, and where common enterprise assumptions fail.
👉 Elisity's full post maps the attack paths, protocol behaviour, and network controls in more detail.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-03-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org