Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Blast radius and lateral movement: what IAM teams should change


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: SMB, RDP, WinRM, and RPC accounted for 71% of detected threat activity, according to Zero Networks, which analyzed about 3.4 trillion activities across 400 enterprise environments and found that a single compromised host could reach a median 85% of internal systems in one hop. The real control problem is not detection volume, but limiting reachable access paths before attackers move.

NHIMG editorial — based on content published by Zero Networks: One Compromised System and BOOM, Meet Your Blast Radius

By the numbers:

Questions worth separating out

Q: What breaks when a single compromised host can move through trusted internal protocols?

A: Blast radius becomes the failure mode.

Q: Why do trusted management protocols increase lateral movement risk in enterprise networks?

A: They are built for routine administration, so they are usually reachable, trusted, and always available.

Q: How do security teams know whether blast radius control is actually working?

A: Look at reachable systems from a single compromised host, not just at alert counts.

Practitioner guidance

  • Map privileged reachability by protocol Inventory where SMB, RDP, WinRM, and RPC are reachable by default, then remove unnecessary exposure between user, server, and admin zones.
  • Replace always-on admin paths with task-scoped access Require just-in-time access for administrative workflows so that privileged channels exist only when a specific task needs them, then revoke them immediately after use.
  • Measure containment by reachable systems Track how many systems a single compromised host can touch before containment, and use that number as a board-level resilience metric alongside detection time.

What's in the full article

Zero Networks' full analysis covers the operational detail this post intentionally leaves for the source:

  • Protocol-by-protocol findings on how SMB, RDP, WinRM, and RPC contributed to internal spread.
  • Environment-level breakdowns that show how much of the estate remained reachable after first compromise.
  • Mitigation guidance on closed-by-default access, identity-based controls, and automatic revocation.
  • The underlying measurement approach behind the 3.4 trillion activity analysis.

👉 Read Zero Networks' analysis of blast radius and lateral movement after compromise →

Blast radius and lateral movement: what IAM teams should change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

Blast radius is the real identity security metric: This article shows that breach impact is determined by how much an attacker can reach after entry, not by how loudly an intrusion is detected. That shifts the governance question from incident response speed to reachable-access design. For IAM, PAM, and NHI programmes, the practitioner conclusion is simple: if a compromised identity can traverse most of the environment, the control model has already failed.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, leaving a large share of external identity reach partially or completely unmanaged.

A question worth separating out:

Q: What should organisations do first when internal reachability is too broad?

A: Start by removing always-on access paths and separating administrative channels from general user connectivity. Then apply task-scoped access, segment high-value systems, and verify that compromised identities cannot traverse the environment freely. Containment has to be designed into the access model before detection can help.

👉 Read our full editorial: Blast radius, not entry, now defines enterprise breach impact



   
ReplyQuote
Share: