Lateral Movement Risk Rises in Enterprise Networks

Telemetry shows widespread internal exposure enabling lateral movement

Lateral movement risk rises as enterprises increasingly prioritise operational convenience over robust containment strategies. This trend is exposing the majority of enterprise servers to internal threats and expanding the pathways available to attackers following an initial compromise.

Lateral Movement Exposure: Key Findings from the Zero Networks Report

The recent 2026 Lateral Movement Exposure Report by Zero Networks presents a detailed analysis of internal attack risks based on real-world data. Drawing from 54 trillion activities across 312 live enterprise environments, the report highlights a concerning lack of internal segmentation and widespread reliance on legacy protocols.

Key findings from the report include:

  • Over 80% of enterprise servers are reachable from anywhere inside the network, meaning once attackers breach the perimeter, critical assets are broadly accessible.
  • 87% of servers accept inbound connections over Remote Desktop Protocol (RDP) or Secure Shell (SSH) from wide internal sources, significantly increasing the potential for lateral movement between systems.
  • 78% of servers are accessible via Server Message Block (SMB) or Windows Remote Management (WinRM), both of which are commonly exploited for spreading ransomware or escalating attacks internally.
  • 43% of internal authentication traffic still relies on New Technology Lan Manager (NTLM), a legacy protocol vulnerable to credential relay and privilege escalation attacks.
  • 12% of organisations maintain direct user-to-server administrative pathways, allowing a single compromised endpoint to potentially access high-value servers immediately.

These findings collectively demonstrate that internal enterprise networks remain ‘flat’ and highly interconnected, with critical security gaps that can be exploited by even moderately skilled attackers.

How Lateral Movement Attacks Exploit Internal Weaknesses

The accessibility of enterprise servers from within the network provides attackers with a crucial advantage post-breach. Once inside, adversaries do not require sophisticated zero-day exploits. Instead, they can use existing administrative tools and legitimate credentials to move laterally and escalate privileges.

Dray Agha, senior manager of security operations at Huntress, notes that “most network perimeters are hard on the outside but lose that hostility and become flat on the inside network.” This flatness means attackers can leverage internal protocols such as RDP, SMB, SSH, and WinRM, often referred to as “living off the land” tactics, to blend in with regular IT operations and avoid detection.

Red team assessments and penetration tests consistently confirm these risks. Robby Winchester, chief global professional services officer at SpecterOps, reports that lateral movement is achieved in nearly every test, with attack paths remaining persistent and difficult to eliminate without improved visibility and segmentation. Tools like BloodHound are commonly used to map these attack paths, revealing just how pervasive and entrenched lateral movement opportunities are within most organisations.

Legacy Protocols and Implicit Trust Fueling Exposure

Another critical finding from the Zero Networks report is the continued use of legacy protocols such as NTLM. With 43% of internal authentication traffic relying on NTLM, organisations are exposing themselves to attacks like credential relays and privilege escalation, which have been well-documented by security researchers.

Additionally, 12% of organisations still allow direct user-to-server administrative access. This means that if any endpoint is compromised—such as through phishing or malware—the attacker can immediately target high-value systems, potentially resulting in rapid data theft or ransomware deployment.

David Sancho, senior threat researcher at Trend Micro, contextualises this challenge: “The uncomfortable reality is that many enterprise environments remain highly interconnected by design. RDP, SMB, SSH, and WinRM exist because administrators need to get work done.” Security teams have traditionally focused on strengthening the perimeter, often at the expense of internal segmentation and protocol hardening. This implicit trust model, however, is no longer tenable given the sophistication and persistence of modern attackers.

Timeline and Current Exploitation Status

The findings in the Zero Networks 2026 report are based on telemetry from live enterprise environments, reflecting the current state of internal enterprise security as of mid-2024. While no specific new exploit campaign is highlighted, the report underscores that these weaknesses are routinely exploited in the wild, particularly by ransomware groups and advanced persistent threats (APTs).

Security vendors and managed detection and response teams continue to observe attackers using legitimate administrative tools and weak internal protocols to move laterally across networks. The persistence of these issues indicates that many organisations have yet to prioritise or implement comprehensive internal segmentation or to phase out legacy protocols like NTLM.

Why This Matters Now

The increased lateral movement risk within enterprise networks means that a single point of compromise can rapidly escalate into a full-scale breach, impacting sensitive data, business continuity and regulatory compliance. The broad internal access to RDP, SMB, and other protocols makes containment and response significantly more difficult once an attacker is inside the network.

Recommended Actions for Organisations

  • Audit internal network segmentation to reduce broad server exposure.
  • Restrict and monitor internal RDP, SSH, SMB, and WinRM access based on necessity.
  • Accelerate the deprecation of NTLM and transition to more secure authentication protocols.
  • Limit direct user-to-server administrative pathways and enforce strong credential management.
  • Increase visibility over internal network activity to quickly detect lateral movement attempts.

By addressing these specific weaknesses, organisations can materially reduce the risk of lateral movement and limit the potential impact of a perimeter breach.

Originally reported by www.csoonline.com.

Share this bulletin

About the Author

Rob McBride Headshot - CyPro Partner and leading cyber security expert

Rob McBride

Partner

  • CISSP
  • ACA Chartered Accountant
  • MPhil
  • BSc
  • SOC 2
  • ISO 27001

Rob McBride

Rob is a Founding Partner at CyPro and a highly experienced CISO. Beginning his career with a successful tenure at Deloitte, Rob has since amassed a wealth of experience, notably serving as a cyber security advisor to the UK government and spearheading cloud security transformations for several global banks.

At CyPro, Rob leads the managed service business line, working extensively across multiple sectors including telecommunications, technology, higher education, travel, and retail. He is passionate about equipping small and medium-sized businesses (SMBs) with robust cyber security strategies to fuel their growth.

View Profile
Back to Bulletins
Category
Industry Guidance
Published
Jul 9 - 2026
Post Tags
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call