TL;DR: Breaches in healthcare, telecom, SaaS, and OT show the same pattern, according to ColorTokens: attackers gain entry, move laterally, and then turn access into larger operational and data impact. Containing internal movement, not just blocking initial compromise, is the decisive control in modern breach response.
NHIMG editorial — based on content published by ColorTokens: From Google to Healthcare Giants, how breaches spiral out of control
By the numbers:
- The Change Healthcare ransomware attack hit 192.7 million people, according to the U.S. Department of Health and Human Services.
Questions worth separating out
Q: What fails when lateral movement controls are not in place after a breach starts?
A: When lateral movement controls are weak, one compromised account or workload can reach many others before detection.
Q: Why do service accounts and API keys make breach containment harder?
A: Service accounts and API keys often lack the human controls that limit abuse, such as MFA prompts, clear ownership and natural offboarding events.
Q: How do security teams know if lateral movement defences are actually working?
A: Teams should test whether one compromised identity can reach adjacent systems, SaaS apps, or production zones that it should not access.
Practitioner guidance
- Map internal traversal paths Build an inventory of the routes an attacker could use after first access, including service accounts, delegated SaaS apps, admin remoting paths, and trusted east-west flows.
- Review NHI and privileged identity scope Identify service accounts, API tokens, OAuth grants, and shared admin identities with standing access across multiple zones.
- Validate segmentation against live traffic Test microsegmentation and zone boundaries using real application and administrative traffic patterns, not only documented architecture.
What's in the full article
ColorTokens' full threat advisory covers the operational detail this post intentionally leaves for the source:
- Attack flow diagrams showing how the breaches moved from entry to lateral spread and impact.
- IOC and patch detail for the FortiWeb bypass and the Microsoft GDI+ vulnerabilities referenced in the advisory.
- Environment-specific containment guidance for healthcare, telecom, SaaS, and OT teams that need to operationalise segmentation.
- The advisory’s specific microsegmentation framing for reducing attacker roam paths across mixed estates.
👉 Read ColorTokens' threat advisory on how breaches spiral through lateral movement →
Lateral movement across sectors: what IAM and security teams need to know?
Explore further
Lateral movement is the real breach multiplier, not the initial compromise. Once an attacker can traverse internal trust paths, the cost curve changes from incident response to enterprise-wide containment. That is why healthcare, telecom, SaaS, and OT examples look different on the surface but converge on the same failure mode: unrestricted internal movement. Practitioners should treat east-west containment as a governance control, not a network tuning exercise.
A question worth separating out:
Q: Who is accountable when internal movement turns a small intrusion into a large breach?
A: Accountability is shared across IAM, network security, cloud operations, and incident response because each team controls a different part of the movement path. Frameworks such as NIST CSF and NIST SP 800-53 expect organisations to manage access, monitor anomalies, and respond to compromise as part of one control system.
👉 Read our full editorial: Lateral movement is the multiplier in breaches across sectors