Ransomware impact hinges on how easily an intruder can move laterally and spread to the maximum number of assets. We present a graph-theoretic formulation that casts lateral movement as a path-closure problem over a probability semiring to measure lateral-movement susceptibility and estimate blast radius. We build a directed multigraph where vertices represent assets and edges represent reachable services (e.g., RDP/SSH) between them. We model lateral movement as a probabilistic process using a pivot potential factor $π(s)$ for each service, with step successes composed via a probabilistic path operator \( \otimes \) and alternative paths aggregated via a probabilistic union \( \oplus \) (noisy-OR). This yields a monotone fixed-point (iterative) computation of a $K$-hop compromise probability matrix that captures how compromise propagates through the network. Metrics derived from this model include: (1) Lateral-Movement Susceptibility (LMS$_K$): the average probability of a successful lateral movement between any two assets (0-1 scale); and (2) Blast-Radius Estimate (BRE$_K$): the expected percentage of assets compromised in an average attack scenario. Interactive services (SSH 22, RDP 3389) receive higher $π(s)$ than app-only ports (MySQL 3306, MSSQL 1433), which seldom enable pivoting without an RCE. Across anonymized enterprise snapshots, pruning high-$π(s)$ edges yields the largest LMS$_K$/BRE$_K$ drop, aligning with CISA guidance, MITRE ATT\&CK (TA0008: Lateral Movement), and NIST SP~800-207. The framework evaluates (micro)segmentation and helps prioritize controls that reduce lateral-movement susceptibility and shrink blast radius.

翻译：勒索软件的影响取决于入侵者横向移动并扩散至最大数量资产的难易程度。本文提出一种图论建模方法，将横向移动视为概率半环上的路径闭合问题，以度量横向移动易感性并估计爆炸半径。我们构建一个有向多重图，其中顶点代表资产，边代表资产间可达的服务（如RDP/SSH）。通过为每个服务设置枢轴潜力因子$π(s)$，将横向移动建模为概率过程：步骤成功概率通过概率路径算子\( \otimes \)组合，替代路径通过概率并集\( \oplus \)（噪声OR）聚合。由此产生$K$跳入侵概率矩阵的单调不动点（迭代）计算，刻画入侵在网络中的传播机制。基于该模型的度量指标包括：（1）横向移动易感性（LMS$_K$）：任意两个资产间成功横向移动的平均概率（0-1标度）；（2）爆炸半径估计（BRE$_K$）：平均攻击场景下预期受入侵资产的百分比。交互式服务（SSH 22、RDP 3389）被赋予高于纯应用端口（MySQL 3306、MSSQL 1433）的$π(s)$值，后者在无远程代码执行漏洞时难以实现枢轴攻击。在匿名化企业网络快照中，剪除高$π(s)$边可使LMS$_K$/BRE$_K$值最大幅度下降，这与CISA指南、MITRE ATT&CK框架（TA0008：横向移动）及NIST SP~800-207标准相符。该框架可用于评估（微）分段策略，并辅助确定优先控制措施以降低横向移动易感性、缩小爆炸半径。