Blog :: Security Operations

Catching Mr Robot with Netflow

If you are into cyber security and reading this blog then there is a good chance you have heard of USA Network’s hit show, Mr Robot. The crime drama has a plethora of relatable characters, a ton of action-packed scenes, and most importantly, realistic hacking scenarios.What the show doesn’t discuss, however, is how catching Mr Robot with NetFlow is a very real possibility. (Warning: spoilers ahead.)


Mr Robot—Quick Summary

The show follows main character Elliot Alderson and his hacking Mr Robot collective “fsociety” as they take on the world’s biggest conglomerate “E Corp” with a variety of well-portrayed and, more importantly, realistic hacks.

After a colleague of mine introduced the show to me, I became hooked almost immediately. But as I binged on episode after episode, I started thinking about how NetFlow could have been used to uncover fsociety. The brute force attacks, the DDoS, the data theft, and the use of stolen credentials all could be found with NetFlow and a good collector.


NetFlow and User Authentication

Stealing Authentication CredentialsDuring one memorable scene, an fsociety member uses a rubber ducky to steal her boss’s credentials. She then logs on from her own work station using the stolen information. But as we NetFlow-savvy know, this could have been caught in a flow-rich environment.

User authentication is something that most of us working in a corporate environment use daily. We just show up to work, log into our work stations and go about our day. User authentication information like log in and log off events can actually be sent as flow data and correlated with IPs.

After the correlation is done, you can easily build reports with proactive thresholds for, let’s say, your users with Admin rights or your CEO. If systems start using the credentials that aren’t within your rule set—boom, an alert would sound.

ip to username

DDoS as a Smoke Screen

You fans  might remember the first instance that Mr Robot and fsociety make contact with Elliot. A massive Distributed Denial of Service attack is launched against E-Corp and the security firm (Allsafe) that Elliot works for has to respond. The attack ends up being a smoke screen so that fsociety can plant a rootkit for later use.

This is a very realistic scenario that has been mentioned over and over again in the info security world.  A very clever tactic in which a DDoS would trip alarms in your current security solution causing you to immediately act and focus on putting out that fire. Meanwhile a smaller conversation would go by unnoticed, possibly east to west internal traffic in order to move files accordingly.

With NetFlow you would not only be able to alert on the DDoS at hand but at the same time still be monitoring the smallest conversations on your network. If the Allsafe folks simply built a NetFlow report using their critical servers as filters, they would of been able to see an erroneous connection to the server and an item being uploaded to it. In the case that the server that was attacked is outward facing they could of excluded all of the junk UDP traffic that made up the ddos and seen all of the underlying conversations buried deep.

Amateur Hacking

Maybe it’s just paranoia, but after watching Mr Robot I noticed an increase in the number of ethical hacking articles showing up in my reading. I can’t be the only one that watched Elliot and his team and decided that it would be a great idea to download Kali linux and play along. This idea of “playing along” got me thinking about copycats and the very real possibility that ordinary people who don’t normally play around in the world of information security could now be playing with tools they don’t fully understand. The tools used in the show are very real and can actually cause some serious damage if not used by a trained professional or in a lab environment. So my first day at work after binge-watching Mr Robot, I set up proactive alarms and turned on the behavioral analytics to cover my bases.

USA Networks created a great show and many of those in the tech world look forward to the next season. In the meantime, it would be a good idea to double-check those routers, switches, and  firewalls to see if they export NetFlow, because extra visibility will only help. If any of you readers have questions about NetFlow or want to see the kind of visibility it can afford you, contact us at Plixer or download a trial of our NetFlow Collector Scrutinizer and see if you can catch Elliot in your environment.