Figure 1: LATERAL = 1ATE241 license plate

School Math: A Car‑ride Probability Puzzle

Driving my daughter to school, we were discussing a classic probability question: “What are the odds a 4‑digit license plate has at least one repeated digit?” Listing cases gets messy fast (first two same, last two same, all three the same…). Instead, we used the complement rule: compute the chance that no digits repeat and subtract from 1.

No‑repeat probability = 10/10 × 9/10 × 8/10 × 7/10.

Therefore, P(at least one repeat) = 1 − (9×8×7) / 10³ = 0.496 — almost 50%.

That simple trick — count the clean case, subtract the rest — is the mental bridge to our lateral movement model.

Figure 2: Deterministic reachability slide that precedes the probabilistic model 

Modeling Networks: Directed Graphs and Adjacency Matrices

We represent the environment as a directed graph: nodes are assets (workloads, servers, databases); edges mean an attacker can plausibly pivot (RDP/SSH/WinRM/SMB, identity flow, service account). 

Read details in our original lateral‑movement + microsegmentation graph theory post. 

Figure 3: Presenting “Lateral Movement — Probabilistic Extension” at ICRAGT

Probabilistic Extension: Modeling Lateral Movement

In the probabilistic model, each edge carries a pivot potential (probability between 0 and 1) that reflects how you landed (service) and what privilege you hold, as privilege determines if you can pivot further.

When attackers chain steps, sequential hops compose; when they have multiple alternatives, those alternatives union. The core operators we use mirror the complement trick from the car ride.

Our Operators: The Complement Rule in Disguise

That license-plate trick—compute the clean case and subtract from 1—is exactly the DNA of our operators. To model lateral movement, we need two simple moves:

1) Alternatives (⊕) = combine alternate paths

If you have several independent ways to reach a target, only one needs to succeed (not all of them fail) for the overall attack to be successful.

Plain English: if you have several independent shots on goal, the overall chance goes up.

Math:  a⊕b = 1 − (1 − a) × (1 − b )

Tiny example: two alternate paths with 0.3 and 0.4 chance →  1 − ( 0.7 × 0.6 ) = 0.58.

2) Sequence (⊗) = compose hops

If an attack requires multiple sequential hops, every single step must succeed for the overall path to be successful.

Plain English: the path succeeds only if every step succeeds.

Math:  a ⊗ b = a × b

Tiny example: 0.7 for the first hop and 0.6 for the second → 0.7 × 0.6 = 0.42.

Put simply: ⊕ handles “many ways in,” ⊗ handles “step-by-step.”
Both are just tidy applications of the complement rule from that car-ride puzzle.

Tiny Example: Two Paths with Two Hops Each

Consider four nodes: i, j, k, ℓ. There are two ways to go from i to ℓ.

Figure 4: Two paths with two hops example

Path A (via j, using RDP): 

• Hop i → j succeeds with probability 0.8 (RDP).
• Hop j → ℓ succeeds with probability 0.8 (RDP).
• Path A success: 0.8 × 0.8 = 0.64

Path B (via k, using HTTP):

• Hop i → k succeeds with probability 0.3 (HTTP).
• Hop k → ℓ succeeds with probability 0.3 (HTTP).
• Path B success: 0.3 × 0.3 = 0.09

Combine the two paths (complement rule): 
“Reach ℓ by A or B” = 1 − (A fails and B fails) 
= 1 − ((1 − 0.64) × (1 − 0.09)) 
= 1 − (0.36 × 0.91) 
= 1 − 0.3276 = 0.6724 

Result: Starting at i, the chance to reach ℓ through these two routes is 0.6724 (≈ 67%). 

How It Helps: Prioritize the Right Microsegmentation Controls

If you restrict RDP so each RDP hop drops even to 0.4, then Path A = 0.4 × 0.4 = 0.16. 
Combined: 1 − (1 − 0.16) × (1 − 0.09) = 1 − (0.84 × 0.91) = 0.2356 (big drop).

If you restrict HTTP so each HTTP hop drops to 0.1, then Path B = 0.1 × 0.1 = 0.01.
Combined: 1 − (1 − 0.64) × (1 − 0.01) = 1 − (0.36 × 0.99) = 0.6436 (smaller drop).

Takeaway: Restricting the high-probability pivot (RDP here) shrinks reachability far more than restricting a low probability path (HTTP here) — exactly the kind of prioritization this model is meant to surface.

In the real world, there will be many paths and many nodes, and there we leverage the complete probabilistic matrix union and composition, but the core idea remains the same.

Personal Note: Presenting to Mathematicians Felt Different

I’ve presented at security conferences like RSA and Black Hat, but addressing an audience of mathematicians and post-grad students was a uniquely humbling experience. It felt like we were following in the tradition of math: taking its powerful theories and extending them to solve our lateral movement puzzle. The most rewarding moment came when a faculty member validated the work as a practical application of graph theory to cybersecurity, adding the astute observation that for a mathematician, our specialized ‘lateral path’ is simply a ‘path’. That connection, the acknowledgment, and the joy of connecting the two worlds of cybersecurity and math, is what made the experience so special.

Connect with one of our top security advisors to uncover hidden lateral movement risks and see how microsegmentation can stop attacks before they spread.

The post License Plates to Lateral Movement: How a School Probability Trick Helps Model It appeared first on ColorTokens.

*** This is a Security Bloggers Network syndicated blog from ColorTokens authored by Satyam Tyagi. Read the original post at: https://colortokens.com/blogs/lateral-movement-probability-microsegmentation/