Lateral movement risk rises as enterprises emphasize convenience over containment

Tags:

Poorly segmented networks and weak security controls continue to undercut security organizations’ ability to identify and contain attacks, giving attackers free rein after initial compromise, according to a recent study based on real-world enterprise security telemetry.

Zero Networks’ 2026 Lateral Movement Exposure Report — based on analysis of 54 trillion activities across 312 live enterprise environments — found that more than 80% of enterprise servers are reachable from anywhere inside the network.

The study found that 87% of enterprise servers accept inbound Remote Desktop Protocol (RDP) or SSH (Secure Shell) connections from broad internal sources, giving attackers wide access pathways once inside the network.

Furthermore, 78% of enterprise servers are reachable via SMB (Server Message Block) or WinRM (Windows Remote Management) — networking protocols attackers commonly exploit to achieve lateral movement as part of ransomware or other attacks.

In addition, 43% of internal authentication traffic still relies on NTLM (New Technology Lan Manager), a legacy protocol frequently abused for credential relay and privilege escalation attacks. And 12% of organizations maintain direct user-to-server administrative pathways, meaning a single compromised employee device can provide immediate access to high-value systems.

“These findings perfectly align with the reality our threat hunters at Huntress see on the front lines every day,” Dray Agha, senior manager of security operations at managed detection and response firm Huntress, tells CSO. “Most network perimeters are hard on the outside but lose that hostility and become flat on the inside network.”

The accessibility of most enterprise servers from inside compromised network means attackers have little need for sophisticated zero-day exploits once they breach the perimeter.

“They [attackers] are simply ‘living off the land’ using the exact same administrative tools and open pathways (like RDP and SMB) that IT teams use,” Agha adds.

Robby Winchester, chief global professional services officer at cybersecurity firm SpecterOps, also says Zero Networks’ findings are “right on point with what we typically observe.”

“On nearly every red team and penetration test we’ve conducted, our testers have achieved lateral movement,” Winchester explains. “Using tools like BloodHound show us that attack paths are pervasive and hard to eliminate without visibility, underscoring how hard it is to prevent lateral movement.”

Interconnected by design

At issue is the fact that security teams have spent years strengthening the perimeter while accepting a significant degree of implicit trust within the network.

But moving away from this approach is far from trivial, says David Sancho, senior threat researcher at Trend Micro.

“The uncomfortable reality is that many enterprise environments remain highly interconnected by design,” Sancho says. “RDP, SMB, SSH, and WinRM exist because administrators need to get work done.”

Legacy protocols such as NTLM persist because replacing them can be operationally challenging but replacing these aging technologies is nonetheless advisable because their presence makes it easier for attackers to dive deeper into compromised networks.

Still, Sancho notes that broad exposure does not automatically equate to widespread exploitation in all circumstances.

“Reachability indicates potential blast radius, not a certainty of compromise,” he explains. “At the same time, the findings highlight an ongoing operational challenge: balancing security with usability.”

Moreover, Sancho adds, “restricting administrative pathways, retiring legacy protocols, and implementing stronger segmentation are all sensible measures, but they are often difficult to execute in complex environments built over decades.”

Dhruv Datta, founder and co-CTO at GolfWiz AI, also sees reachable servers as only one aspect of the wider problem of enterprise security resilience.

“A reachable server may still be protected by identity controls, endpoint monitoring, access policies, or other safeguards,” Datta tells CSO. “The practical risk also depends on the privileges an attacker has gained, the controls around each protocol, and how quickly suspicious activity is detected.”

Still, defenders must do more to limit where an attacker can move to stand any chance of protecting sensitive systems, argues Joe Brinkley, director of offensive security research at penetration testing as a services firm Cobalt. This requirement is becoming even more pressing with the rising use of automated and AI-driven lateral movement.

“Organizations must pivot away from a strategy of pure detection and prioritize deterministic containment through micro-segmentation and strict, identity-driven least privilege,” Brinkley advises.

Countermeasures

Internal reachability of sensitive systems creates major ransomware and privilege escalation risks. Simply focusing on improving perimeter defences is wholly inadequate.

Mitigating the path to attack and making life harder for attackers involves a combination of improved network segmentation, identity controls, red-team testing, and tighter separation of privileged access.

Categories

No Responses

Leave a Reply

Your email address will not be published. Required fields are marked *