The shortest path to containment is removing easy hop points
- Identity is the first choke point. Separate admin accounts, use MFA, and remove standing privilege wherever possible.
- Segmentation matters more than perimeter trust. If a stolen credential cannot reach the next system, the breach stalls.
- Host firewalls and allowlisting shrink the attack surface. Default-deny inbound traffic and stop unknown tools from running.
- Patch exposed and internal systems quickly. Attackers use old flaws to turn one foothold into many.
- Monitoring is only useful when it leads to fast containment. Alerts should tell you which host, account, and route an attacker is using.
What lateral movement looks like after the first foothold
After initial compromise, an attacker normally does not rush to the loudest target. I usually see them map the network, collect credentials or tokens, and look for a path with more privilege. That path is often a file share, a remote administration protocol, a service account, or a jump from a user workstation to a server that should never have been reachable in the first place.
- They probe for internal services such as RDP, SMB, WinRM, and management consoles.
- They reuse cached credentials, stolen hashes, or tokens if one machine still trusts another too much.
- They target domain controllers, backups, software deployment tools, and cloud admin portals because those create scale fast.
The important point is simple: lateral movement is not a separate malware family, it is a chain of trust decisions an attacker abuses. Once you see it that way, the rest of the defence becomes much clearer, because the goal shifts from chasing behaviour to removing the routes that make behaviour profitable.
The controls that work first in real environments
If I had to strip this down to the highest-value controls, I would start with identity, then remove unnecessary network paths, then make sure endpoints cannot silently execute whatever an attacker drops. The UK NCSC guidance aligns with that order: protect credentials, tighten authentication, lock down admin use, segment systems, and watch for suspicious activity early.
| Control | What it blocks | Where it helps most | Trade-off |
|---|---|---|---|
| Phishing-resistant MFA | Reused passwords and simple credential theft | Remote access, admin portals, high-risk accounts | Needs rollout planning and user change management |
| Least privilege and admin tiering | One compromised account reaching everything | Directory services, cloud admin, server fleets | Requires discipline and separate workflows |
| Host firewalls with default-deny inbound rules | Unwanted east-west connections | Endpoints, servers, and admin workstations | Breaks quietly if application dependencies are not mapped |
| Segmentation and microsegmentation | Breadth of spread after one host is lost | Crown jewels, backups, management planes | Needs an inventory of who talks to whom |
| Application allowlisting | Unknown binaries, scripts, and remote tools | High-value endpoints and servers | Can be noisy to implement without good testing |
| Fast patching | Known exploit paths on internal and exposed systems | Edge devices, management hosts, servers | Does not solve credential abuse by itself |
Microsoft's three-tier model is useful here because it keeps the most sensitive identities and systems, especially Tier 0, away from normal user work and away from casual paths upward. That is not a decorative framework; it is a way to stop one compromised workstation from becoming a bridge into the whole directory.
The reason this sequence works is that it removes the common shortcuts attackers rely on. A single control rarely stops everything, but a stack of boring controls can make the network much harder to traverse.

Why segmentation and Zero Trust reduce the blast radius
Segmentation is not about drawing prettier subnets. It is about making every hop an explicit decision. When I say Zero Trust, I mean a design that checks identity, device state, and policy before letting a session touch a resource, rather than assuming that anything already inside the network deserves broad access.
- Separate crown jewels such as domain controllers, backups, management planes, and finance systems into narrow trust zones.
- Control east-west traffic between workloads, not just north-south traffic at the internet edge.
- Use microsegmentation where workload-level policy is possible, and simpler zone-based segmentation where it is not.
- Assume legacy systems will be messy, then wrap them in the tightest gateway or firewall rules you can sustain.
The limitation is that segmentation only works if you know which services need to talk to each other. If application dependencies are undocumented, teams often leave wide exceptions in place, and the design quietly collapses back into a flat network. In other words, segmentation is a policy problem as much as it is a networking problem.
That is why segmentation has to be built alongside identity and endpoint controls, not after them.
Harden identity and endpoints so stolen credentials go nowhere
Most lateral movement still depends on valid credentials or a valid session. That is why I treat identity hygiene as a containment control, not just an access control. One compromised password should not unlock the rest of the environment.
Separate admin work from daily work
Use separate accounts for normal use and administration, and do not browse, read mail, or open attachments from privileged sessions. If an admin needs elevated access, give it just in time and just enough for the task. That makes credential theft less valuable because a stolen admin token does not automatically come with a long leash.
Make credential theft less useful
Use MFA for remote access and high-risk accounts, prefer phishing-resistant methods where you can, rotate local administrator passwords, and rely on hardware-backed storage on devices that support it. Cached secrets, shared admin passwords, and reusable tokens are exactly what attackers look for after the first hop.
I also prefer password managers and clear sign-in rules for staff because they reduce reuse and stop people from improvising with notes, spreadsheets, and shared inboxes.
Read Also: True Positive vs. False Positive - Master Your SOC Alerts
Lock down the device itself
Application allowlisting, secure boot, and local firewalls matter because they reduce what can execute and where a compromised host can talk. I also like aggressive patching on edge devices and internal servers, because unpatched systems often become the quiet route an attacker uses after the first compromise.
If you still run obsolete systems, isolate them instead of pretending they belong in the same trust zone as modern endpoints.
Once credentials and endpoints are tightened, the attacker has fewer places to pivot, but you still need visibility when something slips through.
Detect pivots before they become an incident
Defence is not complete if you cannot see the next hop. The goal of monitoring is not to collect more logs for their own sake; it is to catch the sequence that says an attacker is moving from one machine to another.
- New remote admin sessions from unusual workstations.
- RDP, SMB, or WinRM connections that fan out to multiple hosts.
- Service accounts authenticating to systems they never normally touch.
- Security tooling being disabled or tampered with.
- Access to backups, deployment tools, or domain controllers outside normal maintenance windows.
When those signals appear together, I want a containment playbook that can isolate the host, revoke active sessions, reset the affected credentials, and cut off unnecessary inter-segment traffic. Detection without a containment step only tells you how the breach unfolded after the fact.
Good monitoring is not a passive dashboard. It is the trigger for an action that makes the attacker lose momentum.
If I had one week to shrink the attacker’s options
If I only had a short window, I would not try to modernise everything at once. I would start with the paths that let one compromised account reach the most valuable systems, then close the obvious shortcuts.
- Map the crown jewels, the admin accounts that can reach them, and the paths between them.
- Remove standing privilege where possible and convert the most sensitive access to just-in-time approval.
- Block unnecessary east-west traffic, especially on admin protocols and file-sharing ports.
- Separate backup, management, and domain-privileged environments from ordinary user traffic.
- Test isolation and recovery so the first containment action does not make restoration impossible.
That sequence will not make the environment perfect, but it changes the economics of an intrusion. The attacker has to work harder, move slower, and make more noise, which is exactly what you want when the first compromise has already happened.