Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Lateral movement techniques: what IAM and security teams miss


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: 80% of enterprise servers are reachable from anywhere inside the network, while attackers can begin moving laterally in as little as 27 seconds, according to Zero Networks’ analysis of 54 trillion activities across 300+ enterprise environments. Detection alone cannot keep pace with machine-speed breakout, so containment must shift to identity and network enforcement.

NHIMG editorial — based on content published by Zero Networks: 10 Common Lateral Movement Techniques and How to Stop Them

By the numbers:

Questions worth separating out

Q: How should security teams stop lateral movement after an initial foothold?

A: Security teams should reduce the number of internal paths a compromised identity can use, not just watch for suspicious traffic.

Q: Why do valid credentials create such high lateral movement risk?

A: Valid credentials are dangerous because they let attackers look like normal users or administrators while moving through the environment.

Q: What do security teams get wrong about detecting lateral movement?

A: Teams often assume faster detection is enough, but lateral movement can begin in seconds and outpace investigation.

Practitioner guidance

  • Map internal reachability by identity type Identify which service accounts, privileged users, and machine identities can reach sensitive systems from broad network zones, then reduce those paths to explicit business need.
  • Restrict remote administration protocols to explicit allowlists Limit SMB, WinRM, RDP, SSH, and RPC to the smallest possible set of sources, destinations, and purposes.
  • Apply identity-based microsegmentation to non-human access paths Tie internal policy to verified identity and purpose instead of IP ranges alone, especially for service accounts and automation workloads.

What's in the full article

Zero Networks’ full article covers the operational detail this post intentionally leaves for the source:

  • Technique-by-technique examples for session hijacking, pass-the-hash, pass-the-ticket, and Kerberoasting.
  • Specific control patterns for microsegmentation, identity-based access, and just-in-time MFA at the network layer.
  • Exposure figures for RDP, SMB, WinRM, and RPC across enterprise environments.
  • Practical guidance on turning lateral movement pathways into dead ends with automated policy enforcement.

👉 Read Zero Networks’ analysis of common lateral movement techniques and containment →

Lateral movement techniques: what IAM and security teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Lateral movement is an identity governance failure before it is a detection problem. Once attackers can reuse valid credentials, tickets, or sessions inside the environment, the real issue is that internal pathways were already too permissive. The article’s data on broad server reachability points to a structural trust problem, not an alerting problem. Practitioners should read this as a challenge to internal access design, not just SOC tuning.

A few things that frame the scale:

  • 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: Who is accountable when lateral movement reaches sensitive systems?

A: Accountability sits across identity governance, network architecture, and security operations. IAM and PAM teams own the privileges and session controls, network teams own reachable pathways, and SOC teams own detection and response. If one layer is permissive, the others inherit the failure.

👉 Read our full editorial: Lateral movement techniques expose the limits of detection-only defense



   
ReplyQuote
Share: