85% of Attacks Leverage RDP for Lateral Movement
Ransomware is pivoting toward faster, more targeted data-extortion models, where encryption is no longer the primary objective. According to WatchGuard’s 2026 cybersecurity predictions, crypto-ransomware will lose ground to models driven by data exfiltration and reputational leverage, lowering the technical bar for threat actors while increasing their attack velocity.
This shift has a direct consequence. The focus of the attack has moved from the initial breach to lateral movement within the network. In this landscape, internal trusted tools such as Remote Desktop Protocol (RDP) have become among the most effective tactics for lateral movement.
Data from Google Threat Intelligence (GTIG) shows that RDP is present in 85% of such attacks, highlighting a clear trend: attackers are ditching complex malware in favor of ‘living off the land’, using legitimate tools to stay invisible.
It’s no longer just about how attackers get in; it’s about what they do once inside.
RDP: The Stealthy Threat Vector
RDP is a reliable tool, widely used by administrators and MSPs for remote device management. This is why it has become a favorite attack vector: it allows attackers to blend in with business-as-usual traffic, often going unnoticed for prolonged periods, during which they can cause significant damage. Cybercriminals exploit RDP to:
- Escalate privileges using compromised credentials.
- Navigate between systems undetected.
- Set the stage for data theft or launching attacks without triggering obvious alerts.
For MSPs, their challenge is even greater. They must learn to discern between legitimate sessions and malicious intent across a variety of environments, many of which include RDP as a constant in daily operations.
The Real Challenge: Spotting Danger in the Mundane
For MSPs who manage countless endpoints and clients, most daily actions appear routine: remote logins, data transfers, and configuration changes. It is precisely this ‘normalcy’ that cybercriminals seek – and which makes detection more difficult. If they can mask themselves within legitimate processes, they can move undetected through networks and cause significant damage.
This creates a new hurdle: separating legitimate sessions from unauthorized behavior in a landscape where both look virtually identical. This process can be daunting, especially for MSPs already buried in alerts, which limit their operational output and slow response times.
Solving this problem requires a more structured strategy centered on:
- Around-the-clock endpoint monitoring, with behavioral threat detections and clear incident visibility.
- Event correlation, which turns isolated data points into actionable alerts.
- Incident prioritization based on real-world risk, so teams focus on what matters most.
By adopting this model, teams can spot anomalies hiding behind 'normal’ activity, cutting through the noise and significantly improving response.
How to Detect and Stop Lateral Movement in Practice
AI-powered EDR solutions tackle this head-on by consolidating prevention, detection, and response into a single platform. However, the real game changer isn't just detecting threats; it’s the continuous visibility and behavioral context they provide MSPs, enabling them to better protect their clients and scale their business. In practice, this means:
- Full-spectrum endpoint visibility, unifying telemetry across processes, connections, and users, and root cause analysis so teams understand the scope and origin of threats.
- Lateral movement detection, identifying unusual RDP logins, credential manipulation, and suspicious connection patterns, mapping alerts to the MITRE ATT&CK framework.
- Automated incident correlation, connecting and correlating multiple events to trace an attack’s full storyline, helping teams focus their efforts and reducing alert fatigue.
- Endpoint isolation and response, quarantining devices and terminating suspicious processes, with analysis and direct mitigation performed via remote access or remote shell tools.
- Multi-tenant consoles for higher operational efficiency, empowering MSPs to manage more clients without increasing overhead or complexity.
Visibility and Context: The New Front Line of Defense
It’s no coincidence that 85% of cyber-attacks leverage RDP. It is a good reminder of how cybercriminals today operate: ‘living off the land’, using trusted tools to stay invisible. The more an attack looks like business-as-usual, the harder it is for an organization to spot – and the more likely it is to succeed. That’s where the real challenge lies for MSPs. Endpoint security is no longer just about prevention; it’s about clear visibility and behavioral context for quicker, more accurate detections, paired with rapid response. Transitioning to this model doesn’t just neutralize lateral movement; it builds security ops that are more efficient, scalable, and resilient against today’s evolving threats.
To dive deeper into why all organizations need endpoint detection and response, explore these related insights on our blog: