{"id":8692,"date":"2026-07-09T07:00:00","date_gmt":"2026-07-09T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8692"},"modified":"2026-07-09T07:00:00","modified_gmt":"2026-07-09T07:00:00","slug":"lateral-movement-risk-rises-as-enterprises-emphasize-convenience-over-containment","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8692","title":{"rendered":"Lateral movement risk rises as enterprises emphasize convenience over containment"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Poorly <a href=\"https:\/\/www.csoonline.com\/article\/658539\/organizations-turn-to-zero-trust-network-segmentation-as-ransomware-attacks-double.html\">segmented networks<\/a> and weak security controls continue to undercut security organizations\u2019 ability to identify and contain attacks, giving attackers free rein after initial compromise, according to a recent study based on real-world enterprise security telemetry.<\/p>\n<p><a href=\"https:\/\/zeronetworks.com\/resource-center\/reports\/2026-lateral-movement-exposure-report\">Zero Networks\u2019 2026 Lateral Movement Exposure Report<\/a> \u2014 based on analysis of 54 trillion activities across 312 live enterprise environments \u2014 found that more than 80% of enterprise servers are reachable from anywhere inside the network.<\/p>\n<p>The study found that 87% of enterprise servers accept inbound Remote Desktop Protocol (RDP) or SSH (Secure Shell) connections from broad internal sources, giving attackers wide access pathways once inside the network.<\/p>\n<p>Furthermore, 78% of enterprise servers are reachable via SMB (Server Message Block) or WinRM (Windows Remote Management) \u2014 networking protocols attackers <a href=\"https:\/\/www.csoonline.com\/article\/3806856\/spam-and-vishing-attacks-trick-employees-into-handing-over-microsoft-teams-access.html\">commonly exploit to achieve lateral movement<\/a> as part of ransomware or other attacks.<\/p>\n<p>In addition, 43% of internal authentication traffic still relies on NTLM (New Technology Lan Manager), a <a href=\"https:\/\/www.csoonline.com\/article\/4125947\/microsoft-disables-ntlm-in-windows.html\">legacy protocol<\/a> frequently abused for <a href=\"https:\/\/www.csoonline.com\/article\/571263\/ntlm-relay-attacks-explained-and-why-petitpotam-is-the-most-dangerous.html\">credential relay and privilege escalation attacks<\/a>. And 12% of organizations maintain direct user-to-server administrative pathways, meaning a single compromised employee device can provide immediate access to high-value systems.<\/p>\n<p>\u201cThese findings perfectly align with the reality our threat hunters at Huntress see on the front lines every day,\u201d Dray Agha, senior manager of security operations at managed detection and response firm Huntress, tells CSO. \u201cMost network perimeters are hard on the outside but lose that hostility and become flat on the inside network.\u201d<\/p>\n<p>The accessibility of most enterprise servers from inside compromised network means attackers have little need for sophisticated zero-day exploits once they breach the perimeter.<\/p>\n<p>\u201cThey [attackers] are simply \u2018<a href=\"https:\/\/www.csoonline.com\/article\/643617\/living-off-the-land-attacks-are-hard-but-not-impossible-to-protect-against.html\">living off the land<\/a>\u2019 using the exact same administrative tools and open pathways (like RDP and SMB) that IT teams use,\u201d Agha adds.<\/p>\n<p>Robby Winchester, chief global professional services officer at cybersecurity firm SpecterOps, also says Zero Networks\u2019 findings are \u201cright on point with what we typically observe.\u201d<\/p>\n<p>\u201cOn nearly every red team and penetration test we\u2019ve conducted, our testers have achieved lateral movement,\u201d Winchester explains. \u201cUsing tools like BloodHound show us that attack paths are pervasive and hard to eliminate without visibility, underscoring how hard it is to prevent lateral movement.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Interconnected by design<\/h2>\n<p>At issue is the fact that security teams have spent years strengthening the perimeter while accepting a significant degree of implicit trust within the network.<\/p>\n<p>But moving away from this approach is far from trivial, says David Sancho, senior threat researcher at Trend Micro.<\/p>\n<p>\u201cThe uncomfortable reality is that many enterprise environments remain highly interconnected by design,\u201d Sancho says. \u201cRDP, SMB, SSH, and WinRM exist because administrators need to get work done.\u201d<\/p>\n<p>Legacy protocols such as NTLM persist because replacing them can be operationally challenging but <a href=\"https:\/\/www.csoonline.com\/article\/2097636\/ridding-your-network-of-ntlm.html\">replacing these aging technologies<\/a> is nonetheless advisable because their presence makes it easier for attackers to dive deeper into compromised networks.<\/p>\n<p>Still, Sancho notes that broad exposure does not automatically equate to widespread exploitation in all circumstances.<\/p>\n<p>\u201cReachability indicates potential blast radius, not a certainty of compromise,\u201d he explains. \u201cAt the same time, the findings highlight an ongoing operational challenge: balancing security with usability.\u201d<\/p>\n<p>Moreover, Sancho adds, \u201crestricting administrative pathways, retiring legacy protocols, and implementing stronger segmentation are all sensible measures, but they are often difficult to execute in complex environments built over decades.\u201d<\/p>\n<p>Dhruv Datta, founder and co-CTO at GolfWiz AI, also sees reachable servers as only one aspect of the wider problem of enterprise security resilience.<\/p>\n<p>\u201cA reachable server may still be protected by identity controls, endpoint monitoring, access policies, or other safeguards,\u201d Datta tells CSO. \u201cThe practical risk also depends on the privileges an attacker has gained, the controls around each protocol, and how quickly suspicious activity is detected.\u201d<\/p>\n<p>Still, defenders must do more to limit where an attacker can move to stand any chance of protecting sensitive systems, argues Joe Brinkley, director of offensive security research at penetration testing as a services firm Cobalt. This requirement is becoming even more pressing with the rising use of <a href=\"https:\/\/www.csoonline.com\/article\/3819176\/top-5-ways-attackers-use-generative-ai-to-exploit-your-systems.html\">automated and AI-driven<\/a> lateral movement.<\/p>\n<p>\u201cOrganizations must pivot away from a strategy of pure detection and prioritize deterministic containment through micro-segmentation and strict, identity-driven least privilege,\u201d Brinkley advises.<\/p>\n<h2 class=\"wp-block-heading\">Countermeasures<\/h2>\n<p>Internal reachability of sensitive systems creates major ransomware and privilege escalation risks. Simply focusing on improving perimeter defences is wholly inadequate.<\/p>\n<p>Mitigating the path to attack and making life harder for attackers involves a combination of improved network segmentation, identity controls, red-team testing, and tighter separation of privileged access.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Poorly segmented networks and weak security controls continue to undercut security organizations\u2019 ability to identify and contain attacks, giving attackers free rein after initial compromise, according to a recent study based on real-world enterprise security telemetry. Zero Networks\u2019 2026 Lateral Movement Exposure Report \u2014 based on analysis of 54 trillion activities across 312 live enterprise [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8693,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8692","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8692"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8692"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8692\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8693"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8692"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8692"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8692"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}