Amid Ascension’s resolution to not focus on the assault, there aren’t sufficient particulars to supply an entire post-mortem of Ascension’s missteps and the measures the corporate might have taken to stop the community breach. Normally, although, the one-two pivot signifies a failure to comply with numerous well-established safety approaches. Considered one of them is called safety in depth. The safety precept is much like the rationale submarines have layered measures to guard in opposition to hull breaches and preventing onboard fires. Within the occasion one fails, one other one will nonetheless include the hazard.
The opposite uncared for method—referred to as zero belief—is, as WIRED explains, a “holistic method to minimizing injury” even when hack makes an attempt do succeed. Zero-trust designs are the direct inverse of the normal, perimeter-enforced arduous on the skin, gentle on the within method to community safety. Zero belief assumes the community can be breached and builds the resiliency for it to face up to or include the compromise anyway.
The power of a single compromised Ascension-connected laptop to convey down the well being big’s complete community in such a devastating approach is the strongest indication but that the corporate failed its sufferers spectacularly. In the end, the community architects are accountable, however as Wyden has argued, Microsoft deserves blame, too, for failing to make the dangers and precautionary measures for Kerberoasting extra specific.
As safety professional HD Moore noticed in an interview, if the Kerberoasting assault wasn’t accessible to the ransomware hackers, “it appears possible that there have been dozens of different choices for an attacker (customary bloodhound-style lateral motion, digging via logon scripts and community shares, and so on).” The purpose being: Simply because a goal shuts down one viable assault path isn’t any assure that others stay.
All of that’s simple. It’s additionally indeniable that in 2025, there’s no excuse for a company as massive and delicate as Ascension struggling a Kerberoasting assault, and that each Ascension and Microsoft share blame for the breach.
“Once I got here up with Kerberoasting in 2014, I by no means thought it could dwell for greater than a yr or two,” Medin wrote in a put up printed the identical day because the Wyden letter. “I (erroneously) thought that individuals would clear up the poor, dated credentials and transfer to safer encryption. Right here we’re 11 years later, and sadly it nonetheless works extra usually than it ought to.”
