Neo: Looks like we hooked a bunch of PharmaCORP users on our phishing trip.
Trinity: I’m in! On the user’s laptop now.
Neo: What do you see?
Trinity: Scanning… there’s thousands of devices.
Neo: Pull memory—any DAs in there?
Trinity: Yep, running an AD lookup. Pulling group details now.
Neo: Sweet. Find another device, open it up for me.
Trinity: Found an unpatched Linux host. Connected to our C&C.
Neo: Thanks. I’m in. Time to get to work.
Trinity: Scripts are running. Scanning the network… connected to Windows devices now. Outdated AV, unpatched OS…
Neo: Found an engineering lab. These hosts are logged into their SCM platform. Jackpot.
Trinity: Connected to a filer—tons of HR and Finance data. Dumping it now.
Neo: Sweet. I’m dumping source code.
Trinity: Found old vendor accounts. Reset passwords. We’ve got persistence for return trips.
Neo: We’ve got access to 4,000 devices. Time to run the ransomware script.
Trinity: Executing now.
Neo: We’ve got the data. Encrypt and bail. Time to send the demands.
Trinity: On it.
Sounds like a scene from The Matrix, right? I wish it were fiction. In reality, these kinds of attacks are disturbingly common. The difference is, real-world hackers operate more like your corporate Slack workspace—multiple threads, teams, and projects running simultaneously.
But here’s the key: These attacks almost always start with one compromised device. A single user clicks a link, a device gets popped, and suddenly it’s open season on your internal network.
The Real Problem: Lateral Movement
Once a bad actor gains a foothold on your network, they move laterally. Scanning, pivoting, escalating privileges. From there, they’re exfiltrating data, deploying ransomware, and creating backdoors for future visits.
Our job as security leaders is to stop them before they get to that phase. But let’s be honest—depending on phishing awareness training and hoping no one clicks a malicious link is a losing strategy. I don’t care how many hours of training your team has completed. We’re human. We click links.
Every day, you’re rolling the dice. Hoping that today isn’t the day someone clicks something they shouldn’t. And when they do? You better have a plan in place that doesn’t rely on hope.
Taking a Lesson from Biology
Think about your body’s immune system. Cuts and scrapes happen. But we don’t die from every cut because our bodies contain infections before they spread. We need our networks to work the same way.
No one’s saying you can stop every phishing attack or keep every device clean. But you can make sure an attacker can’t move laterally once they get in.
The Simple Solution: Turn Your Office Network Into a Guest Network
You probably already have a guest Wi-Fi network for visitors. If not, think of Starbucks Wi-Fi. You connect, but you can’t see or talk to any other devices on that network. You just get internet access. No lateral movement. No visibility into internal systems. You’re isolated.
Now imagine applying that same principle to your entire corporate office network. Treat every user device as if it’s untrusted. Block peer-to-peer traffic. No more flat networks with thousands of devices ripe for exploitation.
Den, We’ve Heard This Before
Yeah, I get it. Network segmentation isn’t new. We’ve been slicing and dicing networks for years. But most segmentation strategies are overly complex, fragile, and a nightmare to maintain. Complexity doesn’t equal better security. In fact, it usually means the opposite.
In my experience rolling out Zero Trust programs for large enterprises, I’ve learned that simple works. We don’t need more IP-based ACLs or convoluted firewall rules. What we need is a smarter, identity-based approach.
Here’s how I think about it:
- Regular users don’t need direct access to the data center. Publish apps to them via a Zero Trust platform—just like you do with SaaS.
- Admins and engineers should access sensitive systems through identity-based, just-in-time service tunnels—not flat network paths.
- Guest network rules should apply across your entire office network. No lateral access. No shared network segments. Simple.
How to Get Started
You don’t need to rip and replace everything overnight. Start small. Pick a pilot group, a couple of subnets, and apply strict network access controls. Here’s a high-level approach:
1. Deploy Your Zero Trust Platform
Pick a platform that:
- Integrates with your Identity Provider (I still like Okta, but you do you).
- Works with your endpoint detection and response (EDR/XDR) vendor—CrowdStrike is solid, but again, your call.
- Supports a variety of protocols—not just web apps, but also RDP, SSH, and others.
- Can replace or augment your VPN with something modern, giving you visibility into app access and user behavior.
2. Publish Apps and Services Securely
Apps that used to live behind VPNs or on flat networks? Publish them securely over the internet with identity-based access controls. No direct network access. No exposure.
3. Reroute DNS and Block Peer Traffic
Ensure your DNS traffic doesn’t allow internal device discovery. Block peer-to-peer traffic. Segment IoT, printers, and video conferencing onto separate VLANs or network segments.
4. Pilot, Learn, Expand
Start with a small group. Work out the kinks. Then move to additional subnets and locations. It doesn’t have to be perfect or finished in one sprint. Every subnet you convert to guest-mode reduces risk.
5. M&A Tip
Mergers and acquisitions? Don’t connect their networks to yours. Period. Require all new users to access your corporate apps through your Zero Trust platform from day one.
Progress Over Perfection
Security isn’t about hitting perfection—it’s about reducing risk wherever and whenever you can. Treat your office networks like guest networks, and you’ll limit an attacker’s ability to move laterally. That’s a huge win.
Compromises will happen. But when they do, the damage can be contained.
.svg)
.svg){kind=icon}
