Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Ransomware spread across flat networks: what security teams need to fix


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Recent incidents across healthcare, SaaS, and OT show attackers moving laterally after initial access, with examples including Harvard, SimonMed, F5, and Allianz Life according to ColorTokens. The practical lesson is that patching and perimeter controls do not stop breach spread when internal segmentation and access boundaries are weak.

NHIMG editorial — based on content published by ColorTokens: Ransomware Protection: Source Code Stolen, Patients Exposed, and Utilities Breached

By the numbers:

Questions worth separating out

Q: What fails when ransomware teams only defend the perimeter?

A: Perimeter-only defence fails when attackers gain a foothold and then move laterally through internal systems that still trust each other.

Q: Why do third-party systems increase breach spread?

A: Third-party systems increase breach spread because organisations often trust the business relationship more than the control environment behind it.

Q: What do security teams get wrong about outsourcing and access control?

A: They often treat third-party access as a one-time approval instead of a lifecycle that includes expiry, review, and offboarding.

Practitioner guidance

  • Contain east-west movement around crown-jewel systems Map the internal paths that let one compromised workload reach patient records, engineering consoles, or identity stores, then isolate those paths with microsegmentation and explicit allow lists.
  • Remove standing trust from third-party SaaS access Review CRM, support, and partner platforms for broad delegation, over-shared roles, and stale vendor access.
  • Eliminate default and shared OT credentials Inventory HMI, ICS, and utility interfaces for default or shared credentials, then replace them with unique administrative accounts and restricted management paths.

What's in the full article

ColorTokens' full blog covers the operational detail this post intentionally leaves for the source:

  • Case-by-case incident notes on the Harvard, SimonMed, F5, Allianz Life, New York smishing, and OT examples.
  • The specific containment recommendations ColorTokens pairs with microsegmentation for healthcare, SaaS, and utility environments.
  • The article's response checklist for patching, exposure reduction, and deception technology in OT networks.
  • The vendor's view on how to prioritise breach-readiness work across mixed IT and industrial estates.

👉 Read ColorTokens' analysis of ransomware spread across healthcare, SaaS, and OT systems →

Ransomware spread across flat networks: what security teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Ransomware containment has become an identity problem as much as a network problem. The article’s examples show that the breach boundary is now defined by who or what can move after initial access, not by the perimeter alone. If privileged paths, vendor trust, and unmanaged administrative interfaces stay broad, segmentation failures become identity failures. Practitioners should treat internal reachability as a governance issue, not only a topology issue.

A few things that frame the scale:

  • Internal repositories are 6x more likely to contain secrets than public ones (32.2% vs 5.6%), according to Guide to the Secret Sprawl Challenge.
  • 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.

A question worth separating out:

Q: Who is accountable when internal trust enables a breach to spread?

A: Accountability is shared across network security, IAM, and platform owners because internal trust is created by multiple control decisions. Frameworks such as NIST CSF and NIST SP 800-53 expect access and monitoring controls to work together, while Zero Trust principles assume continuous verification. If no team owns east-west exposure, the containment model will drift.

👉 Read our full editorial: Ransomware containment gaps are exposing healthcare and OT systems



   
ReplyQuote
Share: