Risk R-005 - Lateral movement across internal infrastructure
| Field | Value |
|---|---|
| Risk ID | R-005 |
| Asset | Internal Network (Platform – Owner: Sec) |
| Scenario | S-004 - Lateral movement from compromised host |
| Likelihood | 🟧 Possible - once a host is compromised, lateral movement is feasible especially if segmentation is weak |
| Impact | 🟥 High - multiple internal systems may be compromised, increasing the attack surface and potential data exfiltration |
| Risk Level | 🟥 High |
| Owner | Sec |
| Last Review | 2026-03-08 |
| Next Review | 2026-09-08 |
Associated Controls:
- Enforce network segmentation (VLANs, micro-segmentation, DMZ separation).
- Restrict lateral-movement protocols (disable SMBv1, enforce LDAP signing, limit RDP/SSH to jump-boxes).
- Implement endpoint detection and response (EDR) on all internal hosts.
- Monitor authentication logs for unusual patterns and multiple access attempts.
- Enforce credential hygiene: MFA, short-lived tokens, and regular rotation.
References:
- ISO 27001 - Control 5.1 Policies for information security.
- ISO 27001 - Control 8.2 Privileged access rights.
- ISO 27001 - Control 8.16 Monitoring activities.
- NIST CSF - ID.AM Asset Management.
- NIST CSF - PR.AC Identity Management, Authentication and Access Control.
- NIST CSF - DE.CM Detection Processes.
- EBIOS RM - Analysis of risks related to lateral movement and internal propagation.
Response Actions:
- Containment - Isolate compromised host(s) and restrict lateral traffic.
- Eradication - Remove malicious binaries, reset compromised credentials, patch exploited vulnerabilities.
- Recovery - Restore affected systems from verified backups and validate integrity.
- Post-incident - Conduct root cause analysis, update network segmentation diagrams, and refine lateral-movement detection rules.