Amid Ascension’s choice to not focus on the assault, there aren’t sufficient particulars to offer an entire post-mortem of Ascension’s missteps and the measures the corporate might have taken to stop the community breach. Usually, although, the one-two pivot signifies a failure to comply with varied well-established safety approaches. One in every of them is named safety in depth. The safety precept is much like the rationale submarines have layered measures to guard towards hull breaches and combating onboard fires. Within the occasion one fails, one other one will nonetheless include the hazard.
The opposite uncared for strategy—generally known as zero belief—is, as WIRED explains, a “holistic strategy to minimizing harm” even when hack makes an attempt do succeed. Zero-trust designs are the direct inverse of the normal, perimeter-enforced hard on the outside, soft on the inside strategy to community safety. Zero belief assumes the community will likely be breached and builds the resiliency for it to face up to or include the compromise anyway.
The flexibility of a single compromised Ascension-connected pc to convey down the well being big’s complete community in such a devastating method is the strongest indication but that the corporate failed its sufferers spectacularly. In the end, the community architects are accountable, however as Wyden has argued, Microsoft deserves blame, too, for failing to make the dangers and precautionary measures for Kerberoasting extra express.
As safety skilled HD Moore noticed in an interview, if the Kerberoasting assault wasn’t out there to the ransomware hackers, “it appears seemingly that there have been dozens of different choices for an attacker (normal bloodhound-style lateral motion, digging by way of logon scripts and community shares, and so forth).” The purpose being: Simply because a goal shuts down one viable assault path is not any assure that others stay.
All of that’s plain. It’s additionally indeniable that in 2025, there’s no excuse for a company as massive and delicate as Ascension struggling a Kerberoasting assault, and that each Ascension and Microsoft share blame for the breach.
“Once I got here up with Kerberoasting in 2014, I by no means thought it will dwell for greater than a 12 months or two,” Medin wrote in a post revealed the identical day because the Wyden letter. “I (erroneously) thought that individuals would clear up the poor, dated credentials and transfer to safer encryption. Right here we’re 11 years later, and sadly it nonetheless works extra usually than it ought to.”
