What changed this month
- Identity paths were the #1 intrusion entry point: phishing-resistant access and device posture checks are the fastest risk reducers.
- Lateral movement accelerated after initial access due to flat network segments, shared admin tooling, and over-permissioned service accounts.
- OT impact increased where vendor remote access and IT-to-OT bridges lacked step-up verification and time-bounded controls.
Top observed techniques
Identity abuse
Credential replay, MFA fatigue, token theft, and session hijacking—especially on high-privilege accounts.
Privilege escalation
Misconfigured admin roles, stale local admin passwords, and weak workstation hardening.
Segment traversal
Unrestricted east-west traffic, shared jump boxes, and unmanaged vendor access paths into sensitive zones.
Priority actions (next 30 days)
- Deploy passwordless + step-up verification for privileged actions (admin, OT operator, vendor sessions).
- Stage segmentation: Observe → Warn → Enforce on IT-to-OT and admin tool paths first.
- Harden remote access with just-in-time policies, allow-listed destinations, and session evidence trails.
- Instrument Zero Trust events so every allow/deny is searchable for investigations and compliance.
Next: Download the full PDF-style brief and share with operations leadership.