By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: ColorTokensPublished August 19, 2025

TL;DR: Breaches in healthcare, telecom, SaaS, and OT show the same pattern, according to ColorTokens: attackers gain entry, move laterally, and then turn access into larger operational and data impact. Containing internal movement, not just blocking initial compromise, is the decisive control in modern breach response.


At a glance

What this is: This is a cross-sector analysis of how breaches escalate through lateral movement, with examples spanning healthcare, telecom, SaaS, and OT.

Why it matters: It matters because identity, access, and segmentation teams need to control post-entry movement, not only initial authentication, across human, NHI, and workload pathways.

By the numbers:

  • The Change Healthcare ransomware attack hit 192.7 million people, according to the U.S. Department of Health and Human Services.

👉 Read ColorTokens' threat advisory on how breaches spiral through lateral movement


Context

Lateral movement is the phase of an intrusion where an attacker uses one compromised foothold to reach other systems, accounts, or data stores. In practice, it often matters more than the initial break-in because it determines whether a contained incident becomes a broad breach across identity, SaaS, cloud, or operational environments.

This article uses recent examples to show that breach severity is often controlled by internal access structure rather than by the original exploit alone. For identity teams, that means account boundaries, delegated access, and workload permissions are part of the containment problem, not just the authentication problem.


Key questions

Q: What fails when lateral movement controls are not in place after a breach starts?

A: When lateral movement controls are weak, one compromised account or workload can reach many others before detection. The result is not just more data exposure, but faster privilege accumulation, ransomware spread, and broader operational disruption. Containment depends on limiting trust paths between systems, identities, and environments after the first foothold appears.

Q: Why do service accounts and API keys make breach containment harder?

A: Service accounts and API keys often lack the human controls that limit abuse, such as MFA prompts, clear ownership and natural offboarding events. If they are overprivileged or poorly tracked, a single leak can create long-lived access across multiple systems. That makes revocation speed, inventory accuracy and least privilege the decisive containment variables.

Q: How do security teams know if lateral movement defences are actually working?

A: Teams should test whether one compromised identity can reach adjacent systems, SaaS apps, or production zones that it should not access. If the answer is yes, segmentation or identity policy is too permissive. Effective controls show up as blocked traversal attempts, rapid isolation, and limited blast radius during simulations.

Q: Who is accountable when internal movement turns a small intrusion into a large breach?

A: Accountability is shared across IAM, network security, cloud operations, and incident response because each team controls a different part of the movement path. Frameworks such as NIST CSF and NIST SP 800-53 expect organisations to manage access, monitor anomalies, and respond to compromise as part of one control system.


Technical breakdown

Why lateral movement turns a small foothold into a major breach

Lateral movement occurs when attackers use valid access, stolen credentials, or trusted application paths to pivot after entry. Once they are inside, they do not need to keep breaking in. They enumerate reachable systems, look for reused trust, and exploit overly broad permissions to expand their reach. In SaaS, that can mean API or app delegation. In enterprise networks, it can mean remote admin paths or shared service accounts. In OT, it can mean trust between zones that was never meant for adversarial use.

Practical implication: limit reachable paths between accounts, systems, and environments so one compromise cannot become a roaming event.

How identity and NHI governance affect post-entry spread

Identity controls shape whether an intruder can move from one system to another without resistance. If human accounts, service accounts, tokens, or OAuth grants have standing privilege, the attacker inherits that trust. NHI is especially important here because machine access is often broader and less reviewed than human access, yet it can open the same downstream systems. When credentials are long-lived, shared, or weakly scoped, segmentation alone may not be enough because the identity layer itself is already overextended.

Practical implication: inventory service accounts, tokens, and delegated app access as part of lateral-movement containment, not as a separate IAM exercise.

Microsegmentation as a control against attacker traversal

Microsegmentation breaks flat trust into smaller zones with explicit policy between them. That does not stop initial compromise, but it can stop an attacker from converting one breached system into many. The control works best when it is paired with identity-aware policy, accurate asset classification, and continuous monitoring of east-west traffic. Without those inputs, segmentation becomes a design diagram rather than an operational barrier. The article’s examples show that once internal movement is easy, breach scale grows quickly across cloud, SaaS, and production environments.

Practical implication: validate east-west restrictions against real attacker paths, not only against architecture diagrams.


Threat narrative

Attacker objective: The attacker’s objective is to turn one initial compromise into broader access, higher-value data theft, service disruption, or ransom leverage.

  1. Entry begins with a foothold such as phishing, a zero-day, social engineering, or another trust failure that gives the attacker valid internal access.
  2. Credential access or trust reuse follows, allowing the attacker to move with stolen tokens, admin rights, delegated app permissions, or weak internal boundaries.
  3. Impact occurs when that movement reaches sensitive data, operational systems, or ransomware leverage points that expand the breach beyond the first compromise.

NHI Mgmt Group analysis

Lateral movement is the real breach multiplier, not the initial compromise. Once an attacker can traverse internal trust paths, the cost curve changes from incident response to enterprise-wide containment. That is why healthcare, telecom, SaaS, and OT examples look different on the surface but converge on the same failure mode: unrestricted internal movement. Practitioners should treat east-west containment as a governance control, not a network tuning exercise.

Identity sprawl and NHI sprawl create hidden movement channels. Service accounts, OAuth grants, API tokens, and shared admin identities often sit outside the review cadence used for human users. That leaves a gap between who authenticated and what can be reached next. For identity programmes, the lesson is to govern machine and delegated access with the same containment logic applied to privileged human access.

Microsegmentation only works when policy follows reality. Static designs rarely match the actual paths attackers take across cloud, SaaS, and hybrid estates. If segmentation rules are built around ownership charts rather than live dependencies, they do not stop traversal when it matters. The practitioner takeaway is to anchor segmentation in observable traffic, not in assumed application boundaries.

Detection-response latency: the time between first anomalous access and meaningful containment is now one of the most important risk variables in breach severity. The shorter that gap, the less likely a single foothold becomes a cross-domain incident. Teams should measure whether identity, SOC, and network controls can interrupt movement before privilege accumulates.

Board reporting should shift from breach counts to containment quality. A programme that records many blocked logins but cannot stop lateral movement is still exposed to large-scale impact. The operational question is not whether intrusion occurs. It is how quickly the enterprise can isolate the path before data, OT, or SaaS trust is abused. Practitioners should report on containment depth, not just perimeter events.

What this signals

Identity programmes need a containment lens, not just an access-review cadence. The breach pattern in this article shows that review workflows are too slow if identities can pivot immediately after compromise. NHI and privileged access teams should measure how quickly a compromise can be isolated, not just how often access is certified.

Secret persistence is the hidden enabler of movement across hybrid estates. If valid credentials remain usable after exposure, adversaries can keep traversing systems long after the original incident was noticed. That is why revocation automation and service account lifecycle controls are now part of breach containment, not only credential management.

Containment quality will increasingly influence risk reporting. Boards and security leaders need evidence that segmentation, revocation, and alerting shorten the path from intrusion to isolation. The practical question is whether a compromised identity can still move laterally after the first control fires.


For practitioners

  • Map internal traversal paths Build an inventory of the routes an attacker could use after first access, including service accounts, delegated SaaS apps, admin remoting paths, and trusted east-west flows. Prioritise the paths that connect identity systems to crown-jewel data and production workloads.
  • Review NHI and privileged identity scope Identify service accounts, API tokens, OAuth grants, and shared admin identities with standing access across multiple zones. Reduce privilege scope and remove unnecessary reach between environments before an attacker can reuse that trust.
  • Validate segmentation against live traffic Test microsegmentation and zone boundaries using real application and administrative traffic patterns, not only documented architecture. Confirm that east-west rules block movement from a compromised user or workload into adjacent systems.
  • Shorten containment decision loops Predefine who can isolate accounts, revoke delegated access, and cut network paths when suspicious movement appears. Align SOC, IAM, and network teams so containment happens before the attacker reaches more privileged systems.
  • Instrument privileged activity for movement signals Monitor for unusual token use, unexpected account hopping, new lateral sessions, and abnormal access to adjacent systems. Use those signals to trigger containment playbooks tied to the systems most likely to amplify impact.

Key takeaways

  • This article shows that breaches become large when attackers can move laterally after entry, not simply because they broke in.
  • The impact evidence is severe, ranging from 192.7 million affected people in healthcare to 6.4 million customers in telecom and millions of SaaS records.
  • Security teams should treat internal movement control, NHI scope, and segmentation quality as primary containment controls.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , ImpactThe article centres on attacker movement after initial access and the resulting impact.
NIST CSF 2.0PR.AC-4Access control and segmentation are central to containing post-entry movement.
NIST SP 800-53 Rev 5AC-6Least privilege is directly implicated when attackers exploit overly broad internal access.
CIS Controls v8CIS-5 , Account ManagementAccount and identity governance is essential where stolen or over-scoped access enables spread.
NIST Zero Trust (SP 800-207)Zero Trust is relevant because it removes implicit trust between internal network zones.

Map internal traversal paths to credential access, lateral movement, and impact techniques, then block them.


Key terms

  • Lateral Movement: Lateral movement is the stage of an attack where an intruder shifts from the first compromised point to other internal systems, identities, or data stores. It usually depends on trust already present in the environment, such as reused credentials, overly broad permissions, or weak segmentation.
  • Microsegmentation: Microsegmentation divides an environment into smaller security zones with explicit rules governing communication between them. It reduces the ability of an attacker to traverse laterally because one compromised host, account, or workload cannot automatically reach everything else.
  • Standing Privilege: Standing privilege is access that remains continuously available rather than being granted only when needed. In breach scenarios, it gives attackers a ready-made path to expand access if they compromise the associated identity, token, or service account.
  • NHI Sprawl: The uncontrolled growth of non-human identities such as service accounts, API keys, OAuth clients, and machine roles. It becomes a governance problem when ownership, purpose, rotation, and decommissioning are unclear, leaving dormant credentials active long after their original use case ends.

What's in the full article

ColorTokens' full threat advisory covers the operational detail this post intentionally leaves for the source:

  • Attack flow diagrams showing how the breaches moved from entry to lateral spread and impact.
  • IOC and patch detail for the FortiWeb bypass and the Microsoft GDI+ vulnerabilities referenced in the advisory.
  • Environment-specific containment guidance for healthcare, telecom, SaaS, and OT teams that need to operationalise segmentation.
  • The advisory’s specific microsegmentation framing for reducing attacker roam paths across mixed estates.

👉 ColorTokens' full article covers the breach examples, containment framing, and remediation detail behind the advisory.

Deepen your knowledge

NHI Mgmt Group’s NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is designed for practitioners who need to connect identity control to broader security containment and lifecycle management.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org