TL;DR: Law firms are pairing microsegmentation, identity segmentation, and RPC firewalling to contain ransomware and lateral movement as detection-heavy models fail, according to Zero Networks and session speakers. The governance lesson is clear: if one compromised system can reach most of the environment, privilege boundaries are too open to defend.
At a glance
What this is: This is a practitioner discussion of how law firms are using microsegmentation, identity segmentation, and automated containment to reduce lateral movement and ransomware blast radius.
Why it matters: It matters because IAM, PAM, and NHI teams all influence where identities can operate, and identity boundaries now shape whether an intrusion becomes a full-scale breach.
By the numbers:
- Only 30% of alerts generated translate to real risk reduction, while a single compromised system typically gives attackers access to 85% of the environment in one hop.
- Ransomware is up about 100% since 2024, and breaches reported globally have climbed 660% since 2021.
👉 Read Zero Networks' analysis of law firm network security, microsegmentation, and automation
Context
Law firm security teams are dealing with a problem that traditional detection-first models do not solve well: once an attacker is inside, broad trust and open east-west paths let compromise spread quickly. In this setting, microsegmentation is not just a network control, but an identity governance issue because users, service accounts, and privileged access all determine where movement is possible.
The article frames a familiar legal-sector pressure point. Firms are spending more on technology while also facing ransomware, regulatory scrutiny, and tight staffing, which makes manual containment difficult to sustain. That combination pushes identity-driven containment and automated enforcement to the centre of the discussion.
The key issue is not whether alerts exist. It is whether the environment still allows an identity or workload to pivot into the rest of the estate after the first compromise. For law firms, that makes identity segmentation, PAM enforcement, and protocol-level restriction part of the same control problem.
Key questions
Q: How should security teams reduce lateral movement after an initial compromise in a flat network?
A: Security teams should reduce reachable paths first, then tune detection around the smaller attack surface. Microsegmentation, identity segmentation, and protocol filtering limit where an attacker can move after the first foothold. If the environment still allows broad east-west access, EDR and SIEM can confirm compromise but cannot prevent the next hop.
Q: Why do service accounts increase breach blast radius when they are not tightly scoped?
A: Service accounts increase blast radius because they often have persistent access across multiple systems and are exempt from the normal human login patterns that teams monitor most closely. When those identities are reused widely, an attacker who captures one credential can move laterally without needing fresh access at each step.
Q: What breaks when identity segmentation is not enforced for privileged users?
A: What breaks is the assumption that privileged identities are constrained by role or workstation. Without identity segmentation, a privileged account can often authenticate across far more hosts than intended, which turns one compromise into a broad administrative problem. That is especially dangerous where domain controllers or management servers remain reachable.
Q: Who is accountable when a checked-out privileged credential is used outside its intended scope?
A: Accountability sits with the identity governance process, not just the individual user. If a credential checked out from PAM can still be used broadly on the network, the control boundary is incomplete. Security, IAM, and infrastructure teams must share responsibility for enforcing where that credential can operate.
Technical breakdown
Why detection-first security fails against lateral movement
Detection tools such as EDR, XDR, and SIEM can identify suspicious activity, but they do not automatically stop an intruder from moving laterally. Once an attacker has initial foothold, the practical advantage shifts to the side that controls reachable paths, permitted protocols, and identity scope. In open enterprise networks, that means one compromised endpoint or credential can become a bridge to many others before an alert is ever acted on. Microsegmentation changes the problem by constraining those paths rather than relying on alert speed.
Practical implication: containment has to be enforced at the network and identity layers before attackers can pivot.
Identity segmentation limits where accounts can log in
Identity segmentation narrows the systems and services an account can reach, which is especially relevant for service accounts and privileged users. In many environments, a service account is created for one workload but remains technically valid across far more systems than it should touch. That is not a password issue alone, but an access-scope issue. When login reach is not constrained, the attacker does not need to steal a new identity after every hop because the original account already crosses too many trust boundaries.
Practical implication: map service-account login rights to actual workload use and remove cross-environment reach.
RPC firewalling closes a high-risk admin protocol path
Remote Procedure Call, or RPC, remains broadly open in many networks because it supports essential services such as Group Policy, DFS, and domain authentication. That openness creates an opportunity for abuse, especially where attackers seek domain controller access and directory replication operations. Protocol-layer enforcement lets teams keep RPC available while filtering the functions that enable high-impact abuse, such as DC sync activity. This is a narrower and more durable control than trying to detect every malicious use after the fact.
Practical implication: control high-risk RPC functions explicitly, rather than leaving the protocol broadly open.
Threat narrative
Attacker objective: The attacker wants to turn one compromised system or account into broad domain access, then extract data, deploy ransomware, or take control of directory services.
- Entry begins when an attacker gets a foothold on a reachable endpoint or account in an open enterprise network.
- Escalation occurs when the attacker uses overly broad identity reach or unsegmented east-west paths to pivot into higher-value systems.
- Impact follows when the attacker reaches domain controllers or adjacent systems and can copy credentials, move laterally, or execute ransomware at scale.
Breaches seen in the wild
- MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity segmentation is now a governance control, not a network add-on. When accounts can log in almost everywhere, the real failure is not the firewall policy but the identity model that permits that reach. Law firms cannot treat service accounts and privileged users as isolated technical exceptions because their movement rights define breach blast radius. The practical conclusion is that identity scope has become part of containment architecture.
Detection-heavy models assume defenders can react faster than attackers can move. That assumption is too optimistic in environments where compromise spreads in seconds or minutes across open internal paths. The article reinforces a broader pattern we see across high-value sectors: alerting without enforced containment leaves the attacker in control of the next hop. Practitioners should treat lateral movement resistance as a primary design goal.
RPC is a classic example of hidden governance debt in enterprise estates. It remains necessary for legitimate operations, which is exactly why it becomes an attacker shortcut when left broadly open. The control problem is not protocol elimination but precise restriction of dangerous functions such as DC sync. Teams should view protocol-layer enforcement as a way to preserve business operations while removing high-impact abuse paths.
Automation changes the economics of segmentation more than the security theory. Manual policy creation has historically kept many organisations from enforcing the controls they already understood in principle. The significance here is that automated policy learning makes it possible to scale containment across workstations, servers, and service accounts without requiring a large operations team. The practitioner takeaway is that controls once considered too hard to maintain are becoming operationally feasible.
Law firms expose a broader NHI problem that many IAM teams underestimate. Service accounts checked out from PAM, then used on endpoints or reused outside their intended scope, create a quiet privilege expansion path. That is an NHI governance issue as much as a network issue because the account, its scope, and its runtime use are tightly coupled. The field should stop treating machine and service identities as separate from segmentation strategy.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% reporting only partial visibility.
- For a deeper lifecycle angle, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs, which connects provisioning, rotation, and offboarding to runtime containment.
What this signals
Identity-driven containment is becoming the practical test for whether zero-trust ideas have reached the real network. The immediate signal for practitioners is that segmented reach matters more than broader detection coverage when a compromise occurs. Teams that still rely on visibility alone should expect their blast radius to stay too large to manage.
Law firms should expect their identity and network roadmaps to converge. Service-account governance, privileged access, and host segmentation are no longer separate projects when lateral movement is the threat model. The faster route is to define which identities may operate on which systems, then enforce that boundary with automation and policy learning.
With 85% of organisations lacking full visibility into OAuth-connected vendors according to The State of Non-Human Identity Security, the wider identity lesson is clear: hidden trust relationships are usually the first place containment fails.
For practitioners
- Map identity reach before you segment networks Inventory where human users, service accounts, and privileged accounts can log in today, then identify systems that should never accept those identities. Use the map to drive containment boundaries instead of retrofitting them after deployment.
- Constrain service-account login scope to workload reality Review every service account for cross-host and cross-segment reach, then remove login rights that are not required for the specific workload. Service accounts should not be usable as general-purpose administrative identities.
- Block dangerous RPC functions while preserving necessary traffic Leave RPC available only where required, but filter the specific operations that enable directory replication and domain controller abuse. This reduces breakage while removing a high-value attacker path.
- Automate containment policy learning for low-criticality assets first Use automation to learn safe traffic patterns on workstations and non-critical servers before extending tighter blocking rules. That reduces manual policy burden and creates a faster path to broad blast-radius reduction.
- Align PAM checkout with endpoint enforcement If a privileged credential is checked out from PAM, enforce where that credential can be used on the network and on which hosts it can authenticate. A checked-out credential should not automatically become a roaming administrative identity.
Key takeaways
- Detection can confirm compromise, but it does not prevent lateral movement when internal access paths remain wide open.
- Identity scope now determines containment quality, especially for service accounts, privileged users, and checked-out credentials.
- Automation makes microsegmentation and protocol filtering operationally viable for lean teams, which changes what security baselines are realistic.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0006 , Credential Access; TA0040 , Impact | The article centres on attacker pivoting, credential abuse, and ransomware impact. |
| NIST CSF 2.0 | PR.AC-4 | Identity and least-privilege enforcement are central to segmentation and login scope. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege directly supports the article's account containment model. |
| NIST Zero Trust (SP 800-207) | Zero Trust principles align with segmented access and continuous enforcement. | |
| CIS Controls v8 | CIS-6 , Access Control Management | The article's focus on account scope and lateral movement aligns with access control management. |
Map exposed identity paths to ATT&CK tactics and reduce the reachable set before the attacker can pivot.
Key terms
- Microsegmentation: Microsegmentation is the practice of dividing internal networks into tightly controlled zones so workloads, users, and services can only communicate where explicitly allowed. In practice, it reduces lateral movement by shrinking the paths an attacker can use after initial compromise.
- Identity Segmentation: Identity segmentation restricts where an identity can authenticate and what systems it can reach. For non-human and privileged identities, it is a governance control as much as a technical one, because the login scope of the account defines how far compromise can spread.
- RPC Firewall: An RPC firewall filters specific Remote Procedure Call functions rather than simply leaving the protocol open or closed. That matters because many enterprise services depend on RPC, but attackers can abuse a small subset of functions to escalate access or replicate directory data.
- Identity Blast Radius: Identity blast radius is the amount of infrastructure that becomes reachable when one identity, credential, or host is compromised. It is a practical measure of containment quality, showing whether access design limits an incident to a small boundary or lets it spread widely.
What's in the full article
Zero Networks' full article covers the operational detail this post intentionally leaves for the source:
- How Cravath approached host-based firewall modernisation across workstations and non-critical servers.
- The practical role of automated policy learning in reducing manual rule creation and tuning.
- Why service-account segmentation and RPC firewall functions expanded the project beyond standard network segmentation.
- The specific implementation considerations behind identity-driven microsegmentation in a legal-sector environment.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity security programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-03-24.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org