By NHI Mgmt Group Editorial TeamPublished 2026-05-14Domain: Breaches & IncidentsSource: ColorTokens

TL;DR: Recent healthcare, finance, and OT incidents are tied to the same failure pattern: weak segmentation, overbroad vendor access, and long detection gaps that let attackers move further and stay hidden longer, according to ColorTokens. The lesson is that containment now matters as much as prevention, because dwell time and lateral reach define the blast radius.


At a glance

What this is: ColorTokens’ advisory argues that recent ransomware and breach activity keeps exploiting the same mix of flat networks, broad third-party access, and slow confirmation of compromise.

Why it matters: That matters to IAM practitioners because vendor access, privilege scope, and segmentation now shape whether an intrusion becomes a contained event or a broad identity and data exposure.

By the numbers:

👉 Read ColorTokens' advisory on ransomware, critical vulnerabilities, and the security gap


Context

Ransomware response often fails because organisations focus on stopping initial access while ignoring how quickly attackers can move once inside. The article argues that flat healthcare networks, broad vendor access, and long gaps between suspicious activity and confirmed compromise continue to create the conditions for large-scale impact.

For identity and access teams, the core issue is not only malware but who can reach what, through which vendor paths, and with how much standing privilege. That makes segmentation, third-party access governance, and faster compromise confirmation part of the same control problem rather than separate functions.


Key questions

Q: What breaks when vendor access is broader than the job requires?

A: Broad vendor access turns a third party into a direct path to sensitive data and systems. If that access is not tightly scoped, a compromise outside the enterprise can still create enterprise-level impact. Teams should review every vendor entitlement, remove standing access where possible, and tie each connection to a business owner and a documented purpose.

Q: Why do flat networks make ransomware incidents so much worse?

A: Flat networks let attackers move from one compromised host to many internal targets without meeting strong trust boundaries. That increases the chance of data theft, service disruption, and backup compromise. Segmentation, explicit policy enforcement, and restricted east-west traffic reduce the value of the first foothold and limit blast radius.

Q: How do security teams know if breach detection is actually working?

A: They measure how quickly an alert becomes a confirmed compromise assessment, how often the answer is defensible, and whether logs support that conclusion. If teams cannot determine what was accessed within a short operational window, detection may exist, but response readiness is weak. The key signal is investigation speed, not alert volume.

Q: Who is accountable when a vendor-linked breach exposes regulated data?

A: Accountability usually spans the enterprise that holds the data, the business owner of the vendor relationship, and the security team that approved access. Regulatory expectations do not disappear because a contractor was involved. Organisations should define ownership for vendor onboarding, access review, monitoring, and offboarding before an incident occurs.


Technical breakdown

Why flat networks turn ransomware into enterprise-wide impact

Flat internal networks give attackers room to pivot after the first foothold. Once one host is compromised, weak segmentation lets malware reach file shares, backups, email systems, clinical systems, or control infrastructure without having to cross meaningful policy boundaries. In practice, the difference between an intrusion and a major breach is often whether east-west traffic is constrained by workload-level policy, service identity, and explicit trust boundaries. The article’s healthcare examples show that when segmentation is thin, dwell time translates directly into data exposure and operational disruption.

Practical implication: map internal trust zones and apply workload-level microsegmentation before attackers use one compromised system to reach many.

How third-party vendor access expands the attack surface

Vendor access becomes dangerous when it is broader than the job requires or poorly monitored after onboarding. Third parties often connect through remote support paths, shared platforms, or hosted data stores that sit outside the primary security team’s day-to-day visibility. That creates an identity governance problem as much as a network problem, because a vendor account with standing access can become the shortest path to sensitive data even when the internal perimeter holds. The Nissan and bank incidents in the article illustrate that exposure can begin outside the core enterprise while still producing direct business harm.

Practical implication: inventory every third-party access path, then narrow entitlements, session scope, and data reach to the minimum needed for each vendor.

Why the gap between detection and confirmation is so costly

Detection is not the same as breach confirmation. Organisations often see suspicious activity but cannot quickly prove whether data was accessed, moved, or exfiltrated, and that delay stretches response, notification, and regulatory decisions. The longer that uncertainty lasts, the harder it becomes to contain the attacker, preserve evidence, and make defensible statements to regulators and affected parties. In the article, the five-month confirmation delay at Murray County Medical Center shows how operational ambiguity becomes a governance liability.

Practical implication: retain incident response, log preservation, and forensic workflows long enough to close the confirmation gap quickly.


Threat narrative

Attacker objective: The objective is to maximise business leverage by stealing data, disrupting operations, and forcing the organisation into a costly response and disclosure cycle.

  1. Entry begins when an attacker or ransomware group gains a foothold through exposed systems, vendor access, or another weakly controlled entry point.
  2. Escalation follows when flat internal segmentation and broad access paths let the attacker move laterally, reach sensitive systems, and expand the compromise.
  3. Impact occurs when data is exfiltrated, operations are disrupted, or leak-site publication increases legal, financial, and reputational damage.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Flat-network resilience has become a false comfort in ransomware defence. The article shows that once an attacker is inside, segmentation quality determines whether the event stays local or becomes enterprise-wide. That shifts the governance question from perimeter prevention to internal containment. Practitioners should treat lateral movement as a design failure, not an incident surprise.

Third-party access is now an identity governance problem, not just a vendor risk issue. The Nissan and bank examples show that an external partner can hold the path to sensitive records even when the core enterprise is not directly compromised. That means access reviews, entitlement scoping, and offboarding controls must extend to vendors with the same discipline as internal privileged users. Practitioners should assume vendor paths are production access paths.

Detection latency is a control gap, not an unavoidable delay. A five-month gap between suspicious activity and confirmed breach is evidence that many organisations still cannot answer a basic question fast enough: what was accessed, when, and by whom. That is a governance failure because notification, containment, and legal response all depend on it. Practitioners should build for provable compromise, not just alert generation.

Detection-response latency: the time between initial suspicious activity and confirmed breach creates the window in which attackers maximise damage. In sectors with sensitive data and regulated disclosure duties, that window becomes a strategic risk factor. Practitioners should measure how quickly they can convert an alert into a defensible breach determination.

OT and healthcare both show that containment is now a resilience control. The same pattern appears across clinical environments and industrial systems: once internal trust is too broad, attackers can turn one compromise into many business consequences. That means resilience planning must include access boundaries, not only backups and recovery runbooks. Practitioners should align recovery planning with segmentation and vendor access boundaries.

From our research:

  • 64% of valid secrets leaked in 2022 are still valid and exploitable today, according to The State of Secrets Sprawl 2026.
  • 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded.
  • Guide to the Secret Sprawl Challenge is the next step if you need remediation patterns for exposed credentials and CI/CD leaks.

What this signals

Detection latency has become a governance metric, not just an operations issue. In environments where vendors, email platforms, and shared infrastructure hold regulated data, the time needed to confirm compromise now shapes legal exposure and business continuity as much as the attack itself. Teams should track confirmation time alongside mean time to detect, because the two numbers are not the same.

Microsegmentation and vendor access control are converging into one control plane. Once attackers can pivot from a single compromised path into large internal datasets, identity teams and infrastructure teams are protecting the same business boundary. That means access reviews, network segmentation, and third-party governance need shared ownership and shared reporting.

64% of valid secrets leaked in 2022 are still valid and exploitable today, according to The State of Secrets Sprawl 2026. That is a reminder that exposure is only the first problem, because unrevoked credentials keep the blast radius open long after detection.


For practitioners

  • Inventory vendor access paths end to end Document every third-party remote path, hosted platform, and shared data store that can reach sensitive systems, then assign an owner for each one. Include dormant connections and emergency support routes so no vendor path remains outside review.
  • Segment clinical and business networks by trust zone Separate user, server, backup, email, and regulated-data segments so that one foothold cannot freely reach the rest of the environment. Use workload-level policy where possible so east-west movement is explicitly constrained.
  • Shorten breach confirmation workflows Pre-stage forensic tooling, log retention, and incident-response retainers so suspicious activity can be confirmed or ruled out quickly. The goal is to reduce the time between first alert and a defensible breach determination.
  • Limit sensitive data in shared platforms Remove regulated records from email, file shares, and contractor-managed stores unless there is a documented business need. Where sharing is unavoidable, apply access controls, monitoring, and retention rules that match the sensitivity of the data.
  • Monitor leak sites as part of incident handling Track ransomware leak sites for your organisation, vendors, and critical partners so public exposure is detected before notification timelines or media reporting force the issue. Pair that monitoring with clear escalation ownership.

Key takeaways

  • The article’s central warning is that ransomware keeps succeeding where segmentation, vendor governance, and confirmation speed are weak.
  • The evidence spans healthcare, finance, and OT, showing that broad data exposure often follows broad internal trust rather than novel attacker technique.
  • Organisations that cannot contain lateral movement or confirm compromise quickly will keep turning manageable incidents into regulated breaches.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Broad access control and segmentation failures drive the article’s attack patterns.
NIST SP 800-53 Rev 5AC-4Boundary protection is central where attackers pivot through flat networks and third parties.
CIS Controls v8CIS-12 , Network Infrastructure ManagementThe article’s core theme is network containment and segmentation.

Use PR.AC-4 to tighten access boundaries and reduce lateral movement from vendor or user footholds.


Key terms

  • Microsegmentation: Microsegmentation divides networks into tightly controlled policy zones so one compromised system cannot freely reach others. In practice, it limits east-west movement by enforcing workload-level rules around who can talk to what, under which conditions, and for how long.
  • Detection-response latency: Detection-response latency is the time between a security signal and a confirmed, actionable understanding of what happened. Short latency matters because legal response, containment, and evidence preservation all depend on moving quickly from suspicion to certainty.
  • Third-party access governance: Third-party access governance is the set of controls used to approve, scope, monitor, and remove vendor or contractor access to systems and data. It is not just procurement oversight, because poorly controlled vendor access can become a direct path to regulated information and operational disruption.

What's in the full article

ColorTokens' full post covers the operational detail this post intentionally leaves for the source:

  • Version-specific remediation notes for the four critical CVEs mentioned in the advisory
  • Per-incident breakdowns of healthcare and finance breach timelines, including dwell time and disclosure lag
  • Vendor-linked exposure examples that show how third-party data handling turns into breach scope
  • OT-specific attack details on ZionSiphon, including protocol behaviour and containment implications

👉 The full ColorTokens post covers the incident examples, vulnerability details, and mitigation priorities in one place.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect identity controls to the broader access and containment decisions that shape breach impact.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-14.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org