Measuring Ransomware Lateral Movement Susceptibility via Privilege-Weighted Adjacency Matrix Exponentiation
Satyam Tyagi, Ganesh Murugesan
TL;DR
This work develops a probabilistic, privilege-aware graph framework for measuring ransomware lateral movement susceptibility and blast radius. By lifting the state to represent landing services and using a probabilistic path operator $\otimes$ together with a probabilistic union $\oplus$, it computes a monotone fixed-point $K$-hop compromise probability matrix $P_K$ and derives two deployable metrics: LMS$_K$ and BRE$_K$. The model remains CVE-agnostic, emphasizes high-pivot edges (interactive remote services) and policy-driven reductions, and aligns with Zero Trust guidance while supporting microsegmentation decisions. Empirical examples show that pruning high-pivot edges yields substantial reductions in LMS$_K$ and BRE$_K$, illustrating practical guidance for prioritize-controls strategies to shrink the attack surface.
Abstract
Ransomware impact hinges on how easily an intruder can move laterally and spread to the maximum number of assets. We present a graph-theoretic formulation that casts lateral movement as a path-closure problem over a probability semiring to measure lateral-movement susceptibility and estimate blast radius. We build a directed multigraph where vertices represent assets and edges represent reachable services (e.g., RDP/SSH) between them. We model lateral movement as a probabilistic process using a pivot potential factor $π(s)$ for each service, with step successes composed via a probabilistic path operator \( \otimes \) and alternative paths aggregated via a probabilistic union \( \oplus \) (noisy-OR). This yields a monotone fixed-point (iterative) computation of a $K$-hop compromise probability matrix that captures how compromise propagates through the network. Metrics derived from this model include: (1) Lateral-Movement Susceptibility (LMS$_K$): the average probability of a successful lateral movement between any two assets (0-1 scale); and (2) Blast-Radius Estimate (BRE$_K$): the expected percentage of assets compromised in an average attack scenario. Interactive services (SSH 22, RDP 3389) receive higher $π(s)$ than app-only ports (MySQL 3306, MSSQL 1433), which seldom enable pivoting without an RCE. Across anonymized enterprise snapshots, pruning high-$π(s)$ edges yields the largest LMS$_K$/BRE$_K$ drop, aligning with CISA guidance, MITRE ATT\&CK (TA0008: Lateral Movement), and NIST SP~800-207. The framework evaluates (micro)segmentation and helps prioritize controls that reduce lateral-movement susceptibility and shrink blast radius.