Lateral movement risk rises as enterprises emphasize convenience over containment
Enterprise networks are too reliant on legacy protocols and trusted administrative paths, leaving internal servers easily reachable once attackers breach the network, telemetry shows.
Poorly segmented networks and weak security controls continue to undercut security organizationsâ ability to identify and contain attacks, giving attackers free rein after initial compromise, according to a recent study based on real-world enterprise security telemetry.
Zero Networksâ 2026 Lateral Movement Exposure Report â based on analysis of 54 trillion activities across 312 live enterprise environments â found that more than 80% of enterprise servers are reachable from anywhere inside the network.
The study found that 87% of enterprise servers accept inbound Remote Desktop Protocol (RDP) or SSH (Secure Shell) connections from broad internal sources, giving attackers wide access pathways once inside the network.
Furthermore, 78% of enterprise servers are reachable via SMB (Server Message Block) or WinRM (Windows Remote Management) â networking protocols attackers commonly exploit to achieve lateral movement as part of ransomware or other attacks.
In addition, 43% of internal authentication traffic still relies on NTLM (New Technology Lan Manager), a legacy protocol frequently abused for credential relay and privilege escalation attacks. And 12% of organizations maintain direct user-to-server administrative pathways, meaning a single compromised employee device can provide immediate access to high-value systems.
âThese findings perfectly align with the reality our threat hunters at Huntress see on the front lines every day,â Dray Agha, senior manager of security operations at managed detection and response firm Huntress, tells CSO. âMost network perimeters are hard on the outside but lose that hostility and become flat on the inside network.â
The accessibility of most enterprise servers from inside compromised network means attackers have little need for sophisticated zero-day exploits once they breach the perimeter.
âThey [attackers] are simply âliving off the landâ using the exact same administrative tools and open pathways (like RDP and SMB) that IT teams use,â Agha adds.
Robby Winchester, chief global professional services officer at cybersecurity firm SpecterOps, also says Zero Networksâ findings are âright on point with what we typically observe.â
âOn nearly every red team and penetration test weâve conducted, our testers have achieved lateral movement,â Winchester explains. âUsing tools like BloodHound show us that attack paths are pervasive and hard to eliminate without visibility, underscoring how hard it is to prevent lateral movement.â
Interconnected by design
At issue is the fact that security teams have spent years strengthening the perimeter while accepting a significant degree of implicit trust within the network.
But moving away from this approach is far from trivial, says David Sancho, senior threat researcher at Trend Micro.
âThe uncomfortable reality is that many enterprise environments remain highly interconnected by design,â Sancho says. âRDP, SMB, SSH, and WinRM exist because administrators need to get work done.â
Legacy protocols such as NTLM persist because replacing them can be operationally challenging but replacing these aging technologies is nonetheless advisable because their presence makes it easier for attackers to dive deeper into compromised networks.
Still, Sancho notes that broad exposure does not automatically equate to widespread exploitation in all circumstances.
âReachability indicates potential blast radius, not a certainty of compromise,â he explains. âAt the same time, the findings highlight an ongoing operational challenge: balancing security with usability.â
Moreover, Sancho adds, ârestricting administrative pathways, retiring legacy protocols, and implementing stronger segmentation are all sensible measures, but they are often difficult to execute in complex environments built over decades.â
Dhruv Datta, founder and co-CTO at GolfWiz AI, also sees reachable servers as only one aspect of the wider problem of enterprise security resilience.
âA reachable server may still be protected by identity controls, endpoint monitoring, access policies, or other safeguards,â Datta tells CSO. âThe practical risk also depends on the privileges an attacker has gained, the controls around each protocol, and how quickly suspicious activity is detected.â
Still, defenders must do more to limit where an attacker can move to stand any chance of protecting sensitive systems, argues Joe Brinkley, director of offensive security research at penetration testing as a services firm Cobalt. This requirement is becoming even more pressing with the rising use of automated and AI-driven lateral movement.
âOrganizations must pivot away from a strategy of pure detection and prioritize deterministic containment through micro-segmentation and strict, identity-driven least privilege,â Brinkley advises.
Countermeasures
Internal reachability of sensitive systems creates major ransomware and privilege escalation risks. Simply focusing on improving perimeter defences is wholly inadequate.
Mitigating the path to attack and making life harder for attackers involves a combination of improved network segmentation, identity controls, red-team testing, and tighter separation of privileged access.
How it works
Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content â general knowledge won't be enough. Score 70+ to count toward your certificate.
Questions are cached â you'll always get the same 5 for this article.