TL;DR: Attackers often turn a single stolen password, token, or overprivileged service account into widespread disruption by pivoting across flat networks before defenders detect them, according to ColorTokens. The real control problem is blast-radius reduction, because once identity trust is abused, recovery speed matters less than stopping east-west spread.
NHIMG editorial — based on content published by ColorTokens: How Attackers Move Laterally, and How to Stop Them
By the numbers:
- Internal repositories are 6x more likely to contain secrets than public ones (32.2% vs 5.6%), contradicting the assumption that private repos are safe.
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
Questions worth separating out
A: They should focus on internal reach, not just authentication.
Q: Why do service accounts and tokens make lateral movement harder to contain?
A: They often carry broad trust, longer lifetimes, and access that is reused across systems.
Q: What breaks when internal trust is too broad in enterprise networks?
A: When internal trust is too broad, a single compromise can become a lateral movement platform.
Practitioner guidance
- Segment crown-jewel systems first Place Active Directory, backups, hypervisors, finance platforms, and EDR management behind dedicated east-west policies so one compromised host cannot freely reach recovery or control planes.
- Constrain non-human identities to task-scoped reach Review service accounts, tokens, and automation credentials for broad internal reach, then remove permissions that let them touch unrelated systems or administrative tools.
- Block default admin tool paths between general workloads Deny direct SMB, RDP, WMI, PsExec, and PowerShell remoting from ordinary zones into sensitive systems unless an approved jump path is in place.
What's in the full article
ColorTokens' full article covers the operational detail this post intentionally leaves for the source:
- Specific examples of lateral movement tooling such as SMB, WMI, PsExec, and Group Policy abuse.
- Practical containment steps for isolating patient zero while preserving business operations.
- Operational guidance for locking down backups, directory services, and EDR management paths.
- The article's own microsegmentation framing and deployment examples for internal traffic control.
👉 Read ColorTokens' article on how attackers move laterally through internal networks →
Lateral movement and blast radius: what IAM teams are missing?
Explore further
Blast-radius control is the real identity security problem. The article is right to focus on what happens after first access, because most serious incidents are decided inside the network, not at the perimeter. Lateral movement exposes how much implicit trust still exists between identities, systems, and administrative pathways. Practitioners should treat internal reach as a first-class governance problem, not a network afterthought.
A few things that frame the scale:
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to The State of Secrets Sprawl 2026.
- 8 of the top 10 fastest-growing types of leaked secrets year-over-year are tied directly to AI services.
A question worth separating out:
Q: Who is accountable when lateral movement reaches backups or identity systems?
A: Accountability sits across IAM, PAM, NHI governance, infrastructure, and incident response. If privileged paths were left open, or if service accounts were not scoped and reviewed, those are governance failures as much as technical failures. Frameworks such as NIST-CSF and ZT-NIST-207 help assign ownership for containment and trust reduction.
👉 Read our full editorial: Lateral movement turns one stolen identity into a full outage