Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Mr. Robot and Tenable

At Tenable, we’re huge fans of USA’s cable series, Mr. Robot. The show follows Elliot Alderson, a talented, yet troubled, security engineer at Allsafe Cybersecurity who connects with people by “hacking” them. He becomes involved with a hacktivist group, fsociety, whose goal is to cancel all debts by taking down the largest company in the world, Evil Corp. In this blog, we will discuss several of the attacks demonstrated in the show, as well as how Tenable’s products can serve as a method to detect the attacks before or as soon as they happen.

The attacks in Mr. Robot are realistic and can seem intimidating

Episode 2: ones-and-zer0es.mpeg – Malicious mixtape CD

In this episode, a malicious actor from the mysterious Dark Army group pretends to be an aspiring rapper handing out his mixtape on the street corner. Ollie, one of Elliot’s colleagues at Allsafe Cybersecurity, takes the CD home and puts it in his computer, but when he does, his computer freezes up and then ejects the disc. At the end of the scene, the fake rapper is shown monitoring Ollie’s webcam and types into a chat room, “we’re in.”

Both penetration testers and attackers have used this attack for years. A CD is loaded with the malware and is presented as something important—such as new company training material or an important financial document—and then mailed, dropped outside a building, or simply handed to the victim-to-be. As soon as the victim loads the CD and clicks the file, the regular file may run, but so will the malware.

Using SecurityCenter Continuous View™ and the Log Correlation Engine™( LCE®) a custom TASL (Tenable Application Scripting Language) could be written to create a normalized set of events using a combination of several events:

  • Windows-Drive_Removed
  • Windows-LCE_Client_Detected_Attached_USB_Device
  • Windows-LCE_Client_Detected_Removed_USB_Device
  • Windows-LCE_Client_Detected_Attached_Drive
  • Windows-LCE_Client_Detected_Removed_Drive

with the detection of a new External Netflow connection. That new TASL event would be used in an email alert sent to the incident response team for investigation.

Episode 4: da3m0ns.mp4 – Raspberry Pi to control HVAC

In their quest to destroy Evil Corp’s backups at the ultra-secure Steel Mountain data center, Elliott and the fsociety crew penetrate the building and connect a Raspberry Pi to a networked HVAC controller. Once it is connected, the Pi calls back to their headquarters and they are in.

Network implants are a tool commonly used by red teams as a method to establish long-term, covert presence on a network. Due to their often small form factor, they can easily be hidden out of sight and can remain undetected on a network for months.

Using SecurityCenter CV and the Passive Vulnerability Scanner™ (PVS™), PVS can detect when a new system is present on the network and sends a New Mac Address message to LCE. SecurityCenter uses the New Mac Address event and PVS plugin IDs to initiate a scan and to send an email to the IT operations team.

Note: Passive Vulnerability Scanner (PVS) is now Nessus Network Monitor. To learn more about this application and its latest capabilities, visit the Nessus Network Monitor web page.

Episode 6: br4ve-trave1er.asf – Parking lot USB drop

Facing pressure from drug dealer Shayla’s violent supplier, Elliot is forced to break into the network of the prison where drug supplier Fernando is being held in order to bust him out of prison. To help accomplish this, Elliot recruits fellow fsociety member Darlene to drop USB drives—containing malware—in the prison parking lot to help facilitate the break-out. A guard picks up one of the drives on his way in, plugs it into his workstation, and the executable runs. Even though anti-virus catches the file, Elliot has a shell on the machine until the guard physically unplugs the power.

Attackers can easily trick unsuspecting victims into picking up thumb drives and plugging them into their computers, then compromising them using methods like USB keystroke injection, BadUSB, and backdoored files. For example, in corporate America during the time that annual salary raises are announced, an attacker could drop a thumb drive in the company’s parking lot. The attackers could backdoor a PDF and title it “2015 Annual Salary Raises.” This would entice a naive user to open the file and even potentially distribute it.

SecurityCenter CV and LCE can easily detect this activity using the method described in the first scenario from Episode 2. In addition, Tenable’s solutions offer additional methods for tracking such malicious behavior:

  • SecurityCenter can audit systems to ensure that USB media is prohibited and to call out systems deviating from this policy.
  • SecurityCenter can detect systems where USB media has been used during the course of normal scanning.
  • Tenable has agents that can detect USB media usage as frequently as in real time.
  • SecurityCenter offers analytics (e.g., "Removable Media and Content Audits") that make it easy to see an organization's exposure to these problems.

The attacks in Mr. Robot are realistic and can seem intimidating at first, but with proper network monitoring and auditing, as well as user awareness, most can be thwarted.

Thanks to Cody Dumont and Corey Bodzin for their contributions to this article.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training