Offensive Security’s PWK Course Review and OSCP Exam

I’ve had a number of people ask me on Twitter to do a review on the Offensive Security Penetration Testing with Kali Linux course, and the accompanying OSCP exam. I’ve put this off for a while, because there are a ton of great resources out there already. However, because it keeps coming up, I’ll throw my two cents in.

Overview:

I assume if you’re looking at this review, you know what both PWK and OSCP are. But for completeness’ sake, the PWK Course (Penetration Testing with Kali Linux) is a self-study video, pdf, and live-fire lab course that teaches the basics of penetration testing using tools many hackers and security professionals use. Kali Linux is a Debian-based distribution (put out by Offensive Security) that contains a great number of hacking and testing tools wrapped into an easy to use package. The OSCP Exam, or Offensive Security Certified Professional, is a 24-hour hands-on exam in which the exam taker must complete a black-box style penetration test of a number of hosts, then spend the following 24 hours writing a thorough pentest report. The exam taker is able to use any and all tools on Kali Linux, any exploits or code found on their own, custom scripts, and any amount of Googling they’d like.

Lets start with the basics. The course itself has no prerequisites -anyone can sign up an take it. Through my time in the course, I met people from all levels of skill – I know a person who was an A+ Certified Bench Tech before taking the course, and didn’t know anything about pentesting or security. I met people who work as government contractors who pentest for a living. There were lots of systems admins, security analysts, and people with self-proclaimed unsavory histories they were eager to share in DM. My point here is, if you’re willing to give it a shot (and willing to pay for lab time), don’t get too hung up on how much experience you have. Will basic bash, powershell, and python help you in the course? Absolutely. Will a background in systems administration help? Sure! Have you done web development? Great! These will all help contribute to your success, but nothing is strictly required. The course provides a solid foundation, and if you’re willing to “try harder” and dig through Google and other resources, you’ll learn more than you could’ve imagined.

So, logistics. At a minimum, you’ll need the following:

  • Between $800 and $1,150 USD. Lab time is sold in increments of 30 days.
  • A stable internet connection. You’ll be connecting to the lab environment through a VPN connection, so unstable or shaky internet is going to make life difficult
  • Virtualization Software. I used the free VirtualBox package during my course and exam with no issue.
  • A computer (duh.) – The VM I ran for both course and exam was a single core, 2gb ram, and 25gb hdd allocated from a 2012 Macbook Pro. It ran fine.
  • A tremendous amount of free time, or flexible working situation.
  • Somewhere to take notes, and somewhere to save them. My solution was a KeepNote file I kept in sync with Dropbox. Backing up to Dropbox saved me more than once.

My Experience:

I made a critical error in signing up for the course: I didn’t realize that there was a month-delay in between payment and start date. I had a perfect 60 day window to fit everything into, between work and personal commitments. When I actually started the course, I was down to 30 productive days and then work and personal travel, and moving house. Lesson learned.

I received my PDF, ISO link, and Videos exactly when I was told to expect them. I began going through the PDF, which is several hundred pages followed by exercises, and followed each chapter by watching the videos and then doing the exercises. I promised myself this was the route I would take for the entirety of the course. Of course, this fell apart when I first connected to the VPN to scan the network. Depending on your level of experience, you may or may not notice vulnerabilities early on. Noticing them is a double-edged sword: on the one hand, you’re recognizing obvious ‘low hanging fruit.’ On the other hand, this is going to be incredibly distracting as you try to go through the rest of the course materials. This did me in about halfway through the pdf — I decided I wanted to get some hands on time, and “just hack one box.” Well, 10 or so root shells later I realized I had completely neglected the rest of the materials. I made a half-hearted attempt to go back and read the PDF, but I was hooked on the labs (though of course I did eventually go through everything). A word of advice before I continue. Read ALL of the materials first. Watch ALL of the videos first. Do ALL of the exercises first. Then jump into labs. While some of the materials may be a review for you, or seem less exciting than raining shells upon your multi/handler, I can attest that you will gain something out of each and every section. Also keep in mind that a thorough report of exercises can earn you a few points on the exam, which can mean the difference between a pass and a fail. But I digress.

I made good progress throughout the course the first few weeks, and had a decent amount of conquests to my name. I was spending about 5-8 hours a day on weekends, and 3-4 hours a night in labs. I was paying my own way through PWK, so I was doing the course around working hours – which meant lots of late nights in front of a computer, after 8 hour days in front of a computer. A piece of advice here: burnout is a real thing. Time management during this course is probably the biggest challenge you will face. Yes, hacking the planet is fun. Yes, stacking your proof.txt’s is great bragging rights. But staring at a screen 16 hours a day and neglecting yourself and social interaction is a dangerous game. Twice during the course I burned out and took several days off. Each time I came back feeling smarter and more skilled – this was absolutely not true, I was just not mentally and physically exhausted. I can’t count the number of times I’d spend 8 hours on a privilege escalation attempt, get a nights sleep, wake up, and root the box in 10 minutes. Get rest, stay hydrated, and remember its a course, not a lifestyle change. Anyway, back to the experience.

About this time I left town for a few days to attend an out of state security conference (shoutout to CactusCon!) – actually getting my 20th root shell from the Starbucks just outside the conference center. I had told myself that at 20 I’d book my exam – and did so for a few months out, still hacking away. However, life got in the way – some major personal life things as well as some shakeups at work and a pre-planned vacation led to only an additional 7 boxes between that point and the exam. I was feeling confident but stressed on exam day.

I had prepared for the exam in a number of ways:

  • Writing out a schedule and setting alarms. I gave myself X number of minutes per box, rotated to the next, etc. I factored in meal breaks, nap breaks, sanity breaks, and the like.
  • I meal-prepped a few days before, so I wouldn’t have to think about anything on exam day.
  • I planned on a full night of sleep before the exam.

Sounds good right? Well, a few things I didn’t do very well:

  • I had scheduled the exam for 11am. I’m usually up around 7. This meant I had 4 hours of waiting, stressing out, and more importantly, being awake. I was already planning on a full 24 hours – now I was looking at 28
  • My meal-prep included way, way too much coffee. I had bought canned espresso and made much too liberal use of it.
  • My schedule of work, while ambitious, wasn’t realistic.

For the first few hours, everything was going swimmingly. I rooted a few boxes within the first few hours. By hour 8, I had (by my estimate) about 60 points (of the 70 needed to pass).

These would be the last points I got on this attempt.

Over the next few hours, a minor panic began to set in. I was watching the clock — not focusing enough on my systems. I was drinking coffee like a machine, because I was sure I’d need to be up the entire night and next morning. I was not thinking methodically – at one point, I must have tried the same privilege escalation exploit 15 times in a row. I slept a total of 45 minutes during the entire 28 hours debacle. As the sun came up and my exam connection cutout, I was still typing in privilege escalation commands. Disheartened, I tried (and failed) to get some sleep. I knew I had failed, but I wrote up my Exam Report, submitted it along with my Lab Report, and went to bed with the worst migraine I’ve had to date.

Intermission

Two days after my attempt, as expected, I received the “We’re sorry to inform you…” email from Offensive Security. I replied and asked for feedback – which they were happy to supply. Sidenote: Pass or fail, make sure you submit the report. OffSec will be happy to give you general feedback and tell you what needs work. What they told me was in line with where I believed I struggled most. After receiving this confirmation, I felt a surge of motivation and immediately bought another 30 days lab time. I began to work on my weak areas. I decided to go for quality and difficulty over quantity this time –in the end, the number of lab boxes you root matter to nobody but you – but rooting the hard ones? That made more sense to me. In the end I had 33 full root and 3 low privilege shells, but had knocked out all of the notoriously ‘tough’ boxes. I made a some changes to my plan:

  • Better time management. Don’t look at the clock, focus on the exam.
  • Ditch the artificial stimulants (in my case, caffeine). Get some rest when focus starts to fail.
  • Keep hydrated. Take meal breaks away from the exam. Get some exercise (even just a short walk).
  • I decided to book my next exam for 8am. This would let me kick off my scripts, then go shower and have breakfast while they ran — no more wasting time waiting around.
  • I spoke with my buddy Tulpa who has a background in psychology. He turned me on to some natural supplements that really helped focus and concentration, and some focus and mind-clearing tactics he used with success. Hoping he does a blog post on it soon (Focus for Hackers, Tulpa? hint hint 🙂 )
  • I posted my failure on Twitter. To my great surprise, many people who I greatly respect DM’d me to tell me they’d failed once, twice, and in some cases, three times. Many offered tips, all offered support. That helped a lot with the imposter syndrome.

I re-booked the test right away. The summer months meant that lots of exam slots were full already, and the feeling of a hard deadline gave me the extra focus I needed. When my lab time died, I downloaded and completed a total of 9 VulnHub VMs. This not only kept my skillset sharp, but because CTF-style machines are so different, they made me think outside of my normal process. This helped a lot. I also went back through every video, exercise, and chapter in the guide, and redid them from the ground up. This led to more than one “Oh crap!” moment, where a previously difficult situation clicked into place (I’m being intentionally vague here so as to not violate any NDAs with OffSec). As I said before: go through the entire course before you start the labs!

Exam: Round 2

The second exam went much smoother. By the third hour, I had about 60 points. By the 8th hour, I had what I was sure was 75. However, this was a narrow pass – some bad formatting or grammar on the report, or one missing screenshot would’ve put me back in the fail range. I kept working at it until I had almost all boxes rooted, and command execution on the last. At this point, I knew I had passed. It was 11pm, and I was exhausted – so rather than continuing on with the 5th, I went to bed. I’ve never slept so well.

The waiting in between submitting your report and getting the email is insane. I’d compare it to Christmas Eve, but even that was never so tough – I must have refreshed my inbox 100 times over the next 36 hours. In the end, the email arrived: I had passed and was awarded the OSCP certification.

After receiving the email, the first reaction is obviously happiness – this had been a long time coming. This is followed almost immediately by a “What now?” feeling. Those hours every night, the effort, the merciless taunting by seemingly impossible servers were over. I think everyone goes through some form of withdrawal for a day or two. My recommendation here is to take some time for yourself. After the intensity of the course, you have probably neglected some other things in your life – stop hacking for a few days and get in touch with people, pick up old hobbies for a few days, whatever – just clear your mind a little. Worked for me, anyway.

Summary, or TL;DR:

  • Pace yourself, during the course and the exam. If you allow it to consume your life and free time, it will.
  • Fight the exam, not the clock.
  • Stay mentally focused. Sleep when your body tells you to, eat/drink when you need to. There is no runner up prize for “most exhausted hacker” at the end of the thing.
  • Find some people in the community you can vent and commiserate with. That may be the amazing infosec community on twitter, the very active #offsec IRC channel on freenode, or people at work – but having people who know the struggle and will keep pushing you to do better (and celebrate your victories) helps a lot. At the beginning of the course, I met the aforementioned Tulpa and ozzie_offsec, and a lot of of moral support formed between us organically, though we’re all on opposite ends of the planet. Both stand-up guys.
  • There’s no shame in not rooting every host in the labs. I’ve seen people pass after rooting 10(!) and some fail after rooting all hosts in all subnets. You’re ready when you’re ready.
  • The course and labs comes with access to admins, who will help you push yourself. They have both chat- and email-based support, in which most of the time they’ll just ask you about the scenario. They will not spoon feed you answers. About half the time I used the support function, I figured out what I needed to do as I was typing the question.
  • Don’t kill yourself. “I’ve been hacking for 48 hours without sleep or food” doesn’t impress anyone, and clouds your abilities and judgement. Take care of yourself first.
  • When all else fails, think like a script kiddy. Remember you aren’t dropping zero days – if you’re not having success with an attack, you’re probably over-complicating things. Go back to your basics, enumerate again, and stop throwing things at the wall to see what sticks.
  • Metasploit exists. Professionals use it. Hackers use it. You can use it on the exam (with restrictions). So, use it during the labs. Get familiar with its interface, find out what it does well and what it doesn’t do well. Avoiding it completely will only hurt you.
  • JW has a great method I used more than once. When you become frustrated or stuck, start explaining the situation to yourself as if you’ve already rooted the box and are explaining how you did it to someone brand new to the industry. Breaking it down and simplifying things helps you identify gaps in your process, flaws or assumptions in your thinking, and find what you were missing.
  • Do not fear failure. Failure is an event, not a person. You’ll learn a lot from your failure, should it come to that – prepare for the worst, but aim for the pass.
  • Try Harder.

…but what about all the good things ransomware has done?

https://i1.wp.com/www.2wired2tired.com/wp-content/uploads/2011/02/Computer-Locked-Up.jpg

I’m going to take an unconventional approach to the typical ransomware talk today. I want to talk about how ransomware has been a good thing for our industry. I realize that by now you’re probably calling me a charlatan, but just stick with me for a few minutes. Lets talk about the good things ransomware has done for Information Technology.

Ransomware has driven backup awareness in a big way.

Think back to a not-so-distant past, when backups were managed by tape and BackupExec. Remember skipping a few days, or seeing the jobs fail, and not feeling an immediate sense of dread? How long would that fly today? Ransomware has one 100% effective recovery and response mechanism: restoring from a known-good backup. Sure, you can pay the ransom, but as we’ve seen recently, even that does not guarantee a decryption key. So as a result, systems admins have become very good at backups — and going a step beyond that, so have users.

We have been preaching backups to end users for years. This was often either written off immediately, or taken seriously for a few weeks and then forgotten – with the USB hard disk stuffed in a drawer somewhere, less useful with each passing day. But today I see a change in attitude. People who have been hit and paid the ransom (or know of those who have) are very good about backing things up. The sting of $300+ in bitcoin is not one quickly forgotten – and it shows.

But lets move away from the user for a moment, and focus back on the sysadmins. I’ve seen a change away from traditional nightly/weekly/monthly backup schemes, and to quick online backups with hourly snapshots, backing up offsite to a second location. The focus has been placed on fast, recent restores. This has always been best-practice, but suddenly we have the funding and managerial support to put it in place. Even organizations that have not been directly affected are reaping the rewards.

Ransomware has forced organizations to test their backups.

A backup is not a backup unless it’s been tested. This is a concept often preached, but rarely practiced – because it takes time that administrators do not have, to verify what they assume worked fine (hey, no errors in the log, its fine.). These assumptions have resulted in many heartaches and “resume generating events.” Testing your backups takes time, and time is a commodity many do not have. But being able to prove to management that, in the event of a crisis, data can quickly be restored and production downtime will be minimized forces the process to be built into your standard practice.

Ransomware has driven sysadmin initiatives.

What would a discussion about globally removing local admin rights have looked like five years ago? Being a multi-time veteran of this conversation, I’ve always seen it go a few ways:

  • Management flat-out says no, because of a fear of lost productivity.
  • Management agrees, but excludes certain users due to the fear of key-personnel being unable to do their jobs. (And, at the risk of sounding cynical, these users are quite often the ones who are most susceptible to infection anyway.)
  • Management agrees, but due to the initial backlash from users, quickly backpedals and gives local admin rights back.

In the past, systems administrators wanted to get rid of administrative rights for two main reasons: end-users were installing unapproved software, or were becoming infected with malware. Removing admin rights solves both issues and allows for greater control of your environment. But now, with ransomware so prevalent, we’re removing admin rights to prevent it from doing much damage – and as a side effect, also reaping the other benefits along with it. Looking historically at virus and malware infections, I can see (at least for my own organization) a severe drop in infections since admin rights were pulled. (This policy, of course, was only approved after we were hit with the first generation of Cryptolocker.)

Lets also look at phishing. More and more companies are looking at phishing services and education, training their users to spot obviously fake emails and to be weary of opening attachments. According to a June 2016 article by CSO Online, 93% of phishing emails are now just ransomware. If we can get users to stop clicking links and opening attachments in emails they aren’t expecting, from people they don’t know, the threat surface is greatly reduced. This is good practice anyway – from disclosing sensitive information to whaling, scrutinizing everything that hits your inbox is a skill all users should be familiar with.

Tangentially related to phishing awareness was the move from outdated versions of Office to a modern version, which are able to block macros at the group policy level. Even before ransomware, macro viruses were circulating throughout the internet (though perhaps not as widely as they once were). Blocking the most common infection vector likely also prevented many other attacks.

Ransomware tends to also go beyond the infected system, and encrypt anything on a mapped drive or mounted smb share. This forced administrators to take a long, hard look at how they were issuing read/write privileges across their enterprise, and lock down access by groups using the principle of least privilege. Ask anyone working front-line IT, and they’ll tell you horror stories of a receptionist with a little too much access bringing down entire engineering, accounting, and manufacturing departments because of lax permissions. Gone (for the most part) are the days of “just give Bob access to everything, we’re not quite sure what he’ll need to look at yet.” And this is a major win.

Ransomware has made IT processes more streamlined.

After ransomware started affecting companies en masse, IT departments began seeing an opportunity for quicker disk imaging of infected machines. They began to see that implementing centralized antivirus and web filtering would help reign in some of the known-bad threats and stop them before they could activate. They began to develop processes to quickly triage and contain infections, rather than sitting in a panic while files encrypted over shared systems. By streamlining these processes, the side effects are a slightly more efficient helpdesk. Building out a quick disk imaging solution for wiping infected machines also means you can turn around laptops more quickly, or recover from failed hardware. Centralized antivirus not only helps push out new updates, but gives you central reporting on devices. Installing automated patching services like WSUS lets you go home at 5pm on Patch Tuesday, rather than digging through a list of who has and hasn’t yet received auto updates and rebooted. This is all a net positive to the IT department.

So, you love ransomware eh?

Of course not. This post wasn’t intended to sympathize with the ransomware industry. Quite the opposite — ransomware is a time killing, productivity killing, extortionary practice that should be condemned. The point is, there is a silver lining to how quickly it has ramped up and become an everyday occurrence in our lives. That silver lining is helping IT departments mature quickly, and forcing management give the buy in and budget needed to implement best practice. The only real solution to the ransomware problem is to simply stop paying the ransoms — without profit, criminals will stop pushing this stuff out. But until then, take advantage of what it offers — a killer excuse to get your infrastructure cleaned up and in order.

Sysadmins – We Need to Talk.

ransomware

I’m frustrated. Frustrated because I keep seeing articles about businesses, specifically hospitals, being ransom-wared into submission. In the past month, I can recall three specific instances. Some paid the ransom. One is still in limbo. Each system claims that their data is being held hostage, and that the ransomer is demanding somewhere between $1600 and $3.7 Million dollars – all negotiable, of course. Hospital administrators cry foul, sysadmins look to expensive solutions, and patient care suffers.

None of this has to happen.

Sysadmins, we need to talk. I know the struggle – I’ve been a systems administrator for 15 years. You have too few resources, too small a budget, and no respect. I get it. I do. Your users click links they shouldn’t, download things without forethought, and go to websites that you would firebomb from afar if you had your way. I understand that ransomware is a fast-changing, ever evolving beast that is mitigating your defenses as quickly as you’re mitigating its attacks. Its impossible to stop every attack. I get that. However, I’d like to pose question to you, and I ask this with as little snark as I can muster: Is that really an excuse? Can we really throw up our hands because “its hard,” and not even attempt good, basic security measures?

Admins, lend me your ears. With good, basic, and built-in tools, you can defend against ransomware. With just a few hours of configuration (at most!), you can stop this madness. Let’s talk turkey.

Fix Your Email

  • Filtering extensions. Do you block incoming file attachments? Most companies don’t, and can’t – that’s fine. However, you can certainly block the dangerous ones. All modern email systems block executables (.exe) and batch (.bat/.cmd) files from the get go – most will also block VB scripting (.vbs), screen savers (.scr) and a few others. Lets get to whats not being blocked:
    • .doc / .xls files – Yep, MS Office. No, I am not suggesting you disallow your users from sharing office files – but modern Office extensions are .docx and .xlsx – so ditch the old versions. Inside these files are malicious macros that will grab the ransomware payload and pull it onto your machine. While you’re at it, block .rtf
    • .js files – Nobody emails you raw Javascript, with a glaring exception: Locky. Locky’s vector is commonly a .js file attached to an email (often in a zip)
    • .zip files and .rar files – Yes, some businesses use these to transfer files. Say it with me (and if you’re a sysadmin, you’ve been shouting this for years) – email is not a file transfer mechanism. Find an alternative. Utilize network shares or a third party system like OwnCloud. Ransomware often comes in a .zip, and sometimes even password protected (with the password in the email body). Why? Mail scanners can’t look inside zipped files. Block them outright if you can.
  • Filtering countries. Does your company do business with China, Romania, or the Ukraine? What’s the business impact of never receiving mail from Russia again? In a great majority of cases, this will not impact you at all – but will cut down exponentially on both spam and phishing. Many email servers will allow you to block based on region or country. Take heavy advantage of this. If not, you can look at netblocks by country and black/grey-list them manually.
  • Crank up your spam protection. A lot of ransomware coming through is going to be flagged as spam by the same criteria that “13UY V1@GAR4” ads get stopped with. It doesn’t have to be turned to max, but it does have to be turned on.
  • Consider blocking any of the generic gTLD domains out there. Domains such as “.xyz” and “.info” are cheap and used as throwaways by spammers. Stop them from entering your email environment and you’ll reduce the number of phishing attacks and spam emails your users receive.

Defend Your Servers

  • Software Restriction Policies. Via group policy, you can restrict any executables from running out of the %TMP% directory – which is how all ransomware I have encountered or read about starts. Pushing this down to your users should be a no-brainer. Now, I say that with a grain of salt – this will break things. In my experience, Quickbooks installers, MS Office installers, and Spotify all break with an SRP is in place. These, however, can be whitelisted. This takes testing and should be rolled out slowly, especially in complex environments. Here’s a very thorough tutorial with screenshots on how to implement a Software Restriction Policy.
  • File Server Resource Monitor. FSRM is a method for actively monitoring file shares. One of the first things ransomware does is drop a file explaining how to pay the ransom. With FSRM you can easily alert on those files and run a script. The script I wrote is extremely basic – it kills the file sharing service, sends the admin an email, and writes the event to the event log. Here’s a list of filenames I monitor for.
  • Follow good security practices. Does everyone have read, write, execute access on every share? They shouldn’t. Follow good security practices for accessing data – use the principal of least privilege and role-based access control. This is good practice aside from ransomware, but will help contain the damage should something slip through your other controls. Users in Groups, Groups assigned to Folder/File permissions. Add/Remove users from groups as their access or roles change. This makes management easy
  • Monitor Handles. Consider setting up a “canary” to alert you of processes generating a high handle count. There are a few that we should expect to do so – system, SqlServer, and lsass come to mind – but a process actively encrypting or modifying thousands of files at once will generate a high number of handles. I wrote this script when the first CryptoLocker hit, and run it as a scheduled task every 15 minutes; feel free to modify it as you wish. Be warned that it is fairly ugly, but it does what it says on the box.

Defend Your Endpoints

  • Antivirus. Some people will tell you that antivirus is dead. There are certainly arguments for that – an antivirus can act as a last line of defense if your other controls fail. Make sure your definitions are updated, and the antivirus is up to date. Microsoft Security Essentials is free, and will defend against known ransomware. Teach your users to report virus alerts, not ignore them.
  • Patching. Keep your endpoints patched. You can download and install Windows Server Update Service for free, and have it manage your updates and reboot cycles.
  • Phish your users. It can be done for free and teaches them not only to be suspicious of emails they aren’t expecting, but helps train them on indications that an email is not from who they think.
  • Remove local administrator rights from machines. Users may kick and scream that they can’t install Skype, but reducing the local machine rights drastically reduces the damage that can be done. Without admin rights, you can only install and run applications out of very limited folders (My Documents and %TMP%), so its easier to mitigate malicious software trying to do you harm.

Defend Your Network

  • DNS. If you’re using your ISP’s DNS server, I would encourage you to change it to the free OpenDNS service. OpenDNS is good about blackholing known-bad IP addresses and command & control channels. It will reduce malware from web-browsing significantly and costs you nothing.
  • Block Tor. Tor has many legitimate, and noble uses. However, many pieces of ransomware use it to establish a connection to a C&C channels to generate the key used to encrypt data. If this step fails, ransomware stops. Block Tor unless you are actively using it for business – which you likely are not.

Defend Your Data

  • Backups. If all else fails, you need the security of having recent, tested, GOOD backups. Windows Server Backup is not the most elegant solution, but it works – and costs you nothing. A large USB drive is all you need to back up your data. Find out what your company’s tolerance for data loss is, and take the drive off-site that often. If they can tolerate a week of lost data, take it off-site every Friday. If they can tolerate no more than a day, take it off-site every night. A note about ransomware: if the backup drive is plugged in, and the system infected? It will encrypt your backup drive. Its important that you eject the USB or physically remove the drive every time you complete a backup. If you can spare a few dollars and some bandwidth, a service like CrashPlan runs about $8 per month and backs up changes in real time, and maintains a version history. Not an ideal way to recover the data should you lose everything, but it’s a “set it and forget it” approach that requires little maintenance and no drive swapping.

 

Sysadmins: this is what the phrase Defense-in-Depth means. Multiple solutions to solve a problem that may mitigate one or more defenses you have in place. An antivirus and firewall are no longer enough. There is no excuse for a ransomware infection resulting in lost data and days/weeks/months offline. You can accomplish every step outlined above with a zero-dollar budget.

Any other tips, tricks, or $0 mitigations you’d like to share? Please comment below!