Edge-device blind spots

Attackers are increasingly breaking into routers, firewalls, and virtual private network gateways, then moving across internal networks where many companies have less visibility. (cloud.google.com) Those internet-facing systems sit at the network edge, and the Cybersecurity and Infrastructure Security Agency says they are prime targets because they are exposed to the public internet and often suffer from weak settings, misconfigurations, or end-of-support software. CISA says intruders use those footholds to gain initial access, move laterally, and stay hidden for long periods. (cisa.gov) Google Cloud’s Mandiant unit said on April 23, 2025 that exploits were the most common initial infection vector in its 2024 investigations, accounting for 33% of cases, while stolen credentials rose to 16%. The report drew special attention to edge devices and other platforms that often cannot run endpoint detection and response tools. (cloud.google.com) In plain terms, endpoint tools watch laptops and servers for suspicious behavior, but many edge appliances cannot host that software. That leaves defenders relying on logs and network traffic to spot what an attacker does after the first break-in. (cisa.gov) That is where east-west traffic comes in: the data moving between internal systems after an intruder is already inside. CISA and other defenders have repeatedly told organizations to establish a baseline of normal network activity and tune network and host tools to detect anomalies, because lateral movement often happens inside trusted zones. (cisa.gov) The pattern has shown up in real incidents. In a red-team assessment CISA disclosed on February 28, 2023, testers gained persistent access, moved laterally across multiple sites, and reached systems near sensitive business systems without the organization detecting the activity during the assessment. (cisa.gov) Government guidance has shifted toward harder internal boundaries as a result. CISA’s February 4, 2025 edge-device guidance highlighted default logging, remote log collection, and operational practices for monitoring these appliances, while later ransomware guidance told organizations to segment networks to restrict lateral movement. (cisa.gov, cisa.gov) Mandiant’s 2025 report also underscored how fast the problem moves. It said more than a dozen threat groups exploited one zero-day within two weeks of disclosure, a pace that leaves little time to patch an exposed edge device before an attacker starts probing the inside of the network. (securityboulevard.com) The practical takeaway is not to stop watching the perimeter, but to stop treating the inside of the network as safe by default. Once an edge device is compromised, the clearest signs may be the sideways traffic it generates next. (cisa.gov, cisa.gov)