Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

F5 breach analysis: what it means for containment and lateral movement


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: The F5 breach, attributed to UNC5221, showed that attackers can enter product-development environments, steal source code and vulnerability details, and still leave defenders with only partial visibility into internal movement, according to Illumio. The case underlines that containment, segmentation, and east-west traffic visibility now matter as much as edge defence.

NHIMG editorial — based on content published by Illumio: Cyber Resilience Inside the F5 Breach: What It Teaches Us About State-Sponsored Cyberattacks

Questions worth separating out

Q: What breaks when attackers get one internal foothold in a segmented environment?

A: Segmentation fails when internal relationships are not continuously enforced or monitored.

Q: Why do state-sponsored attackers create such a difficult containment problem?

A: They are often patient, stealthy, and well-resourced, so they can blend in with legitimate internal activity and wait for defenders to misread the signals.

Q: How can security teams know whether east-west visibility is good enough?

A: A useful test is whether the team can explain unexpected workload relationships, not just list alerts.

Practitioner guidance

  • Tighten east-west visibility Instrument internal workload-to-workload traffic across subnets, VPCs, and VNets so abnormal remote-access or transfer patterns are visible before they become an incident.
  • Pre-authorise workload quarantine Set up one-step isolation for high-risk workloads so responders can cut off suspicious systems without waiting for manual firewall or orchestration changes.
  • Review remote-access tool usage Audit SSH, RDP, Rustdesk, and similar tools for baseline drift, unexpected destinations, and access paths that bridge sensitive environments.

What's in the full article

Illumio's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step use of the Insights hub to review malicious IP connectivity and suspicious external destinations.
  • Examples of how the resource graph is used to trace east-west traffic across workloads, VPCs, and VNets.
  • A containment workflow built around the Quarantine button for isolating a compromised workload.
  • How the Insights Agent generates investigation reports mapped to MITRE ATT&CK.

👉 Read Illumio's analysis of the F5 breach and containment lessons →

F5 breach analysis: what it means for containment and lateral movement?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Perimeter defence is now a partial control, not a containment strategy. The F5 breach reinforces a pattern NHIMG has seen repeatedly: once an attacker is inside a trusted environment, edge controls stop being the decisive boundary. The real control question becomes whether teams can see internal movement, identify risky service relationships, and cut off spread before secondary assets are touched. Practitioners should treat east-west visibility as a core operating requirement, not an enhancement.

A question worth separating out:

Q: Who is accountable when lateral movement leads to a breach?

A: Accountability sits with the teams that own internal access, privileged identity governance, and containment controls, not only with detection operations. If service accounts, admin pathways, or workload identities can move freely across the environment, the governance failure is structural. A breach caused by lateral movement usually reflects shared ownership gaps across IAM, PAM, and network security.

👉 Read our full editorial: F5 breach analysis exposes the limits of perimeter defense



   
ReplyQuote
Share: