Art Imitating Life: Mr. Robot and the Lessons of DNS Security

Mr. Robot and the lessons of DNS securityWith the return of USA Network’s hit series Mr. Robot to television screens last month, DNS security has again shown it has a part to play. As we are left rooting for the ‘good guy’ hacker Elliott Alderson- who also just happens to be the bad guy- what are the takeaways from the fiction that can be remedied in real life networks?

Beware- spoilers ahead if you haven’t watched the latest episodes. (Unfamiliar with the show? Catch up from our last blog on season 1 here).

This season, we see the fruits of Elliot’s (ahem, Mr. Robot’s) labor, and the plan to destroy E Corp is moved into Stage 2. This involves blowing up a large New York facility that houses all of E Corp’s backup paper records, like deeds, loan documents, titles, etc. With the current digital fingerprint of these documents already gone, and physical copies then destroyed, it would be impossible for the massive corporation to rebuild and recover.

Avoiding SPOF- Single Point of Failure

“And like a botnet, the fear I created is spreading so fast it’s practically airborne”. Seeing the social and political turmoil born from his Five/Nine Hack, Elliott comes to terms with what he has done, and obtains a job at E Corp with the recovery team in order to undo his own Stage 2 plan. In a montage scene, he presents to E Corp managers and executives a plan to disperse and digitize current paper documents. The lesson here, he warns, is to avoid the single point of failure in having all of the paper records in one New York facility.

Single point of failure is all too real for many business networks. Organizations can prepare with redundancy in an attempt to make services as available as possible, but there will more often than not be areas that are overlooked. The DNS protocol in particular is prone to attacks, and its failure can cripple a network almost instantaneously. DDoS attacks, cache poisoning- the list goes on. It is a dangerous prospect to rely on one source in your network architecture and design. Dyn experienced this very issue in October 2016, when the Mirai botnet attack brought down the cloud DNS provider, and its multitudes of known clientele (such as Twitter, Reddit and CNN). 

The answer in this case can be found in a hybrid cloud DNS infrastructure, which employs a combination of in-house DNS and public cloud DNS- effectively removing the risk of putting all your eggs in one basket. Another key to avoid DNS outage and disruption of services is to allow, if possible, geographical diversity. This way you’re able to not only protect your network from Denial of Service (DoS) attacks or even natural disasters, but also to redirect traffic to another server/ location while you face localized network issues.

DNS security network breaches that echo reality

Equifax, Deloitte, Yahoo….the list goes on for major breaches that occurred within the past year. While many of these can blame the failure to patch (why else would Mr. Robot be looking for holes at E Corp on Shodan.io?), others have been prone to DNS attacks. Either way, zero-day exploits and tunneling can be launched against an unprotected DNS, often resulting in the total loss of control of a network and websites. In our most recent DNS Security Survey, 19% of companies admitted they were subject to a DNS zero-day attack, while 83% of them did not apply the necessary number of security patches released. Using a DNS architecture with multiple engines (for example, BIND as well as NSD/Unbound) can eliminate the need to patch in an emergency, as you can alternate one running nameserver to another in a single click, protecting the DNS.

In the show, Elliot visits an underground hackerspace for a CTF ‘Capture the Flag’ tournament in order to gain secure internet access. He succeeds in closing the backdoor to the E Corp systems to protect it from the Dark Army through pwning a DNS registrar-  “change the nameserver configs, hijack the domain”. This type of DNS attack was recently launched against a Brazilian bank, affecting the bank’s network as well as the end-users themselves on the bank website. In this case, protection can be achieved with a solution that signals the system of its own initial infection. Once the network is self-aware, communication can be blocked between the rootkit back to the hacker’s C&C server. As the threat landscape is continually evolving everyday with new malicious content, businesses must stay up to date in real time with the latest attack trends. Dynamic data feeds such as SURBL or FireEye can inform a network of the most recent high-risk domains, a first step filter to protect against the unsolicited usage of your DNS.

Mr. Robot continues to deliver a realistic portrayal of modern hacking, giving fans in the tech industry tidbits to look forward to. But as art imitates life, there will likely be no end in sight for storylines that can be developed around DNS-based exploits. Businesses are wise to be proactive in seeking a dedicated security solution- not everyone is ‘Evil Corp’, but we can all be easily compromised without the proper network architecture and DNS security.

Want to learn more about the rise in DNS vulnerabilities, their potential business effects, and suggestions on rapid remedies? Download the 2017 DNS Threat Survey Report now.