Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Lateral movement techniques: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: Attackers are reaching lateral movement in 29 minutes on average, with 82% of detections now malware-free and 90% of ransomware breaches involving RDP abuse, according to CrowdStrike, CrowdStrike, and Sophos. The real control problem is not detection alone but restricting east-west paths so a foothold cannot become enterprise-wide compromise.

NHIMG editorial — based on content published by Elisity: 9 lateral movement techniques attackers use and how to stop them

By the numbers:

Questions worth separating out

Q: What breaks when lateral movement paths are not tightly controlled?

A: When east-west access is too broad, one compromised credential can reach many systems without needing new exploits.

Q: Why do attackers prefer lateral movement over noisy exploit chains?

A: Lateral movement often uses legitimate credentials and trusted tools, which makes it blend into normal administration.

Q: How do security teams know whether segmentation is actually reducing risk?

A: They should measure whether compromised identities can still reach sensitive tiers, admin ports, and third-party entry points.

Practitioner guidance

What's in the full article

Elisity's full blog covers the operational detail this post intentionally leaves for the source:

  • The article walks through all nine lateral movement techniques with ATT&CK mappings and network-level defence examples.
  • It gives protocol-specific containment guidance for SMB, RDP, SSH, WMI, and PowerShell remoting.
  • It explains how to design segmentation policies around device identity, not just network location.
  • It includes practical examples of what to block, what to allow, and where common enterprise assumptions fail.

👉 Read Elisity's analysis of nine lateral movement techniques and containment paths →

Lateral movement techniques: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

Lateral movement is an identity failure before it is a network failure. The article is right to focus on east-west reach, but the deeper issue is that too many internal architectures still assume any authenticated internal session is trustworthy enough to move. That assumption fails once a single credential, admin path, or vendor connection is compromised. The practical conclusion is that internal trust must be treated as conditional, not implied.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
  • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.

A question worth separating out:

Q: Who is accountable when compromised vendor access becomes internal movement?

A: The accountable teams are the ones that own third-party access governance, internal segmentation policy, and privileged path approval. Vendor access should not be treated as a one-time onboarding task. If the path remains open after the business need ends, the accountability gap is internal, not external.

👉 Read our full editorial: Lateral movement is the breach multiplier IAM teams still miss



   
ReplyQuote
Share: