Fair warning: if you aren’t caught up, there are spoilers for the first episode of the final season of Mr. Robot below.
It’s an alien sensation to be watching the fourth and final season of Mr. Robot as a civilian: having worked as a technical consultant for the first three seasons of the show, most of what unfolded as those episodes aired was already old news. It is satisfying for this season’s events to come as a surprise for change. It is unsurprising, though, to see Elliot and company right back at it, running the same sorts of playbooks we’ve seen serious threat actors use before (and will likely see again).
As this season opens, the world is preparing for the Christmas holiday, having partially recovered from the effects of a cyberattack with devastating digital and kinetic consequences. Elliott, meanwhile, is in a race against time to thwart the plans of Whiterose and her Dark Army. While the premiere lacked some of the nitty-gritty technical shots that we’ve become accustomed to, the targets and tactics were as real as ever. What is striking in this episode is the indirection. Unable to get the information he needs by attacking the Dark Army directly, Elliot focuses instead on the law firm Lomax & Looney in an effort to uncover records about the Dark Army’s shell companies and financial transactions.
This move mirrors the real-world attack against law firm Mossack Fonseca that occurred in 2015, resulting in the disclosure of the now-infamous Panama Papers.
Elliot also employs another noteworthy technique in targeting the firm’s namesake partner Freddy Lomax: rather than attempting to evade the law firm’s defenses, he uses those defenses to create a red herring. Elliot – as Mr. Robot – begins by telling Lomax to click a phishing link that he’s just been sent. Lomax protests by saying, “This isn’t going to get past our IT guys,” to which Elliot replies, “That’s what I’m counting on,” before instructing Lomax to create a local archive of his email inbox on a USB thumb drive.
Though we don’t see it explicitly in this episode, it appears as though Elliot intends to send the law firm’s IT department on a wild goose chase by creating the appearance that the phishing link, not the USB drive, was the method of data exfiltration. Most of the remainder of the episode is Elliot’s race to retrieve the USB drive from Lomax as he’s being tracked by the Dark Army’s hit squad using the Bluetooth Low Energy (BLE) beacon in his office keycard.
As is often the case with Mr. Robot, even when an episode’s human drama overshadows the hacking and security elements, there are valuable security lessons:
- Sensitive data often resides in very mundane and easily accessible places – Some data-loss prevention (DLP) providers have estimated that nearly 90 percent of an organization’s intellectual property may reside in email. Moreover, as the fictitious scenario in the Season 4 premiere of Mr. Robot (and both the real-world Panama Papers and Paradise Papers) incidents aptly demonstrate, valuable (and potentially damaging) information may also reside in the systems of organizations that are business partners, service providers or suppliers. Third-party risk management is a non-trivial undertaking, but one that will become increasingly important as many business partners increasingly operate like departments of the organization, rather than as standalone entities.
- It is very hard to defend against an insider exercising legitimate privilege – It stands to reason that any user would have access to their own inbox, and it is not uncommon for users to create email archives as backups. Freddy Lomax performing exactly that action, in isolation, is unlikely to raise any alarms. Lomax & Looney did not, apparently, have technical controls for removable media nor any other mechanisms to restrict the flow of sensitive information that may have delayed or prevented the exfiltration.
- Once the data is gone, it can’t be “recovered” – In compromising Lomax’s email, Elliot deliberately created a diversion for incident responders – but whether or not they take the bait has no impact on Elliot’s ultimate objective. He has the information he needs to make his next move to stop the Dark Army. The Russian hacking against the campaign of Hillary Clinton and the DCCC offers a real-world parallel: Though the forensic investigation was able to provide fairly conclusive attribution, the data was already exposed and the damage already done. Ben Franklin’s famous quote, “An ounce of prevention is worth a pound of cure,” has graduated into the realm of cliche for a reason: It’s true. Although data protection is a broad area, effective coverage can be achieved through the application of frameworks like the CIS Top 20 Critical Controls. No framework can solve everything, but by doing the fundamentals well and mitigating the easy risks, it becomes possible to focus attention and energy on the more difficult problems.
- “Ambient computing” can be a significant threat to privacy and safety – The consequences for Freddy Lomax represent a dire and, in today’s threat landscape, unlikely outcome. But the ubiquity of transmitters in all of our devices enables everything from individual user tracking to monitoring beacons from laptops to identify a car worth breaking into. Unless and until there are better regulatory guidelines to govern the collection and use of this data, users would do well to minimize their RF footprint whenever and wherever possible.
The final takeaway is that, unlike Elliot, real-world adversaries don’t have lofty ideals nor do they suffer crises of conscience: They will continue to pursue their objectives without regard for the collateral damage. There are only so many episodes of Mr. Robot left, but the raft of recent and likely future breaches offer enough fodder for a run that could rival Gunsmoke or The Simpsons. Let’s take what art has shown us and use those lessons so there is less to imitate going forward.
James Plouffe (CISSP) is strategic technologist at MobileIron and a former consultant for the TV show Mr. Robot.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.