TL;DR: Attackers are reaching lateral movement in 29 minutes on average, with 82% of detections now malware-free and 90% of ransomware breaches involving RDP abuse, according to CrowdStrike, CrowdStrike, and Sophos. The real control problem is not detection alone but restricting east-west paths so a foothold cannot become enterprise-wide compromise.
NHIMG editorial — based on content published by Elisity: 9 lateral movement techniques attackers use and how to stop them
By the numbers:
- 29 minutes : Average eCrime breakout time from initial access to lateral movement, 65% faster than the prior year (CrowdStrike 2026 Global Threat Report)
- 82% : Percentage of detections that are malware-free, with attackers using valid credentials and trusted tools (CrowdStrike 2026 Global Threat Report)
- 90% : Percentage of ransomware breaches involving RDP abuse (Sophos 2024 Active Adversary Report)
Questions worth separating out
Q: What breaks when lateral movement paths are not tightly controlled?
A: When east-west access is too broad, one compromised credential can reach many systems without needing new exploits.
Q: Why do attackers prefer lateral movement over noisy exploit chains?
A: Lateral movement often uses legitimate credentials and trusted tools, which makes it blend into normal administration.
Q: How do security teams know whether segmentation is actually reducing risk?
A: They should measure whether compromised identities can still reach sensitive tiers, admin ports, and third-party entry points.
Practitioner guidance
- Map east-west admin paths by identity Inventory which devices, service accounts, and admin workstations can initiate SMB, RDP, SSH, WMI, and PowerShell remoting today.
- Constrain remote administration to dedicated management endpoints Require remote tools such as PsExec, RDP, and PowerShell remoting to originate only from approved management systems.
- Scope vendor connectivity as a temporary identity boundary Bind third-party access to specific systems, specific time windows, and specific protocols.
What's in the full article
Elisity's full blog covers the operational detail this post intentionally leaves for the source:
- The article walks through all nine lateral movement techniques with ATT&CK mappings and network-level defence examples.
- It gives protocol-specific containment guidance for SMB, RDP, SSH, WMI, and PowerShell remoting.
- It explains how to design segmentation policies around device identity, not just network location.
- It includes practical examples of what to block, what to allow, and where common enterprise assumptions fail.
👉 Read Elisity's analysis of nine lateral movement techniques and containment paths →
Lateral movement techniques: are your controls keeping up?
Explore further
Lateral movement is an identity failure before it is a network failure. The article is right to focus on east-west reach, but the deeper issue is that too many internal architectures still assume any authenticated internal session is trustworthy enough to move. That assumption fails once a single credential, admin path, or vendor connection is compromised. The practical conclusion is that internal trust must be treated as conditional, not implied.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who is accountable when compromised vendor access becomes internal movement?
A: The accountable teams are the ones that own third-party access governance, internal segmentation policy, and privileged path approval. Vendor access should not be treated as a one-time onboarding task. If the path remains open after the business need ends, the accountability gap is internal, not external.
👉 Read our full editorial: Lateral movement is the breach multiplier IAM teams still miss