How Brooklyn Nine-Nine S6E14 got cybersecurity all wrong

When we watched the Brooklyn Nine-Nine episode Ticking Clocks (S6E14) earlier this year, we were pretty excited that it mentioned DNS. That’s kind of our jam.

But here’s the thing: just about all of the technical speak in that episode was basically incorrect. So like the fact-checking DNS geeks we are, we decided to correct the record, one jargon-y misstatement at a time. You’re welcome.

Brooklyn Nine-Nine S6E14 – Ticking Clocks: A Quick Recap

If you haven’t seen Ticking Clocks, here’s what happened: With the help of Sergeant Knox, a guy from Cyber Operations, the Nine-Nine races to save the precinct from a massive security breach. Spoiler alert: the hacker behind it all turns out to be Knox himself! Amy, who arrived at the scene late, was only able to identify the guy as a disguised suspect because it was a case she worked on. The rest of the team was completely oblivious because Knox has been taking advantage of their lack of technical knowledge all along.

Here’s a list of all the errors we found:

01:59 – “This is Sergeant Knox from Cyber Operations. He’s discovered the reason for our network issues.”

Sergeant Knox, the IT guy from Cyber Operations, comes to analyze the problem from the captain’s laptop. That’s already fishy. Holt may be a captain but he is just a user with a user device. His laptop shouldn’t hold special IT-related controls. Especially with security solutions like BlueCat’s DNS Edge, network admins can apply policies to control access for every client based on their role.

So unless it’s a problem with the hardware, Knox taking a look at Holt’s laptop isn’t necessary.

Then why is he there? Clearly not to “fix the internet”. (Pro tip: The internet is never down. The issue may be your network, the server, or something else entirely.)

02:21 – “The hacker’s already used an ARP to resolve the host name with the DNS server.”

Here’s the truth: all those words are unrelated. ARP stands for Address Resolution Protocol, a data-link layer protocol that resolves an IP address to a MAC (Media Access Control) address, which is basically a physical network address. On the other hand, DNS, which stands for Domain Name System, is a hierarchical naming system that allows communication across devices on a network. Most commonly, it translates human-readable domain names (like bluecatnetworks.com) to computer-friendly IP addresses (like 104.239.197.100).

IP networks require ARP to function, so if ARP isn’t working, DNS won’t work. Other than that, DNS and ARP are distinctly separate.

02:24 – “They are trying to get root access by connecting the OSI network to the data link.”

First of all, OSI isn’t a network, it’s a model for networking. The OSI model is a seven-layer network model that defines the communication functions of a computing system. Data link is the second layer of the OSI model, not something a network would connect with. The data link layer’s main function is to regulate the flow of data in and out of a physical link to a network.

Root access means having full permission to do anything on a device. It has nothing to do with the OSI model. Not all network tools offer root access, but to make significant changes and customize features, root access is a necessity. (That’s why BlueCat offers added an extra layer of security by integrating with CyberArk).

02:37 –  “They’re almost through our defenses.”

Security “defenses” in a cyber environment do exist; however, this line is imprecise. The more accurate term for this is defense in depth, which refers to a cybersecurity approach in which multiple layers of defensive mechanisms protect the network environment.

Some common security elements found in a defense-in-depth strategy would include network security controls such as an external firewall, endpoint protection, and data integrity tools. For heightened visibility and control, users can also turn to DNS security.

02:40 –  “If we can’t stop them, they’ll be inside our server in… 19 minutes!”

In reality, most cybersecurity threats aren’t associated with deadlines or time limits. A deadline could apply to some form of ransomware, such as if the malicious actor threatens to delete encryption keys for files taken hostage if they don’t receive payment in time.

But what usually happens is this: Compromised users are notified by one of their many security solutions detecting anomalous activity on their network. An investigation ensues. The malicious actor likely would have elevated their privileges to gain access to parts of the network. So, once malicious activity is found, the first step is to shut off access.

Next, there must be analysis of everything that the malicious actor and the infected user has accessed. Advanced security tools like the ones BlueCat offers can play a big part here. BlueCat makes it easy to root out ‘patient zero’ in a cyberattack and reduce the time needed to remediate breaches. The steps that trace the stages of a cyberattack from early threat reconnaissance to data exfiltration is called a cyber kill chain.

03:20 – “I’ve tried removing the server from the chain, but the hacker blocked the protocol.”

These words are just more tech jargon strung together to form meaningless sentences. “Removing the server from the chain,” in more accurate terms, could mean that Knox has tried removing the server from the network. In that case, he would have air-gapped the computer, isolating it from any internet connection. Maybe this is why the precinct’s connection is down in the first place!

“Blocking the protocol” is also too vague to mean anything. There are many different network protocols that Knox could have meant. Was it the TCP/IP protocol? The DNS protocol? The DHCP protocol? To make sense, this line requires more details.

03:34 – “I have an override code I can use to wipe the servers clean.”

As the clock ticks, Captain Holt suggests using his override code to delete the entire server database. This is unrealistic because, as a user, the captain would not have this type of privilege. With a security solution, network admins can apply policies to control access for every client based on their role (like the role-based access control that BlueCat Edge provides).

More questions arise when they reveal that the server is only backed up twice a year! Today, at a minimum, both physical and virtual servers usually get backed up once weekly, or up to as often as every 30 minutes.

04:22 – “They [the malicious actor] must be going through a physical AP!”

If someone was attempting to breach a physical access point (AP) they would have to physically tamper with WiFi routers and ethernet cables. These are typically located in the ceiling. If we take the statement at face value, going through a physical AP would mean tampering with a device in the ceiling in the middle of the day. With the type of security you’d expect from a police precinct in Brooklyn, this is unrealistic.

15:16 – “We just got a NOS ping from the first floor. The hacker is in room 103!”

A ping is a signal used to test the reachability of another computer or network. A NOS ping, however, is just the abbreviation for Network Operating System and the word “ping” strung together! Instead, the best way to find the location of a device within a network environment is to use the wireless LAN system.

Oblivious, the team follows Knox’s fake directions, nearly letting him get away with his plan. Luckily, the squad races back to Holt’s office just in time to stop him from wiping the database.

As Knox nearly got away with his malicious plan, the precinct’s security may have had its flaws. But the main threat that day? Social engineering.

Social engineering and the importance of cybersecurity awareness

The characters in Brooklyn Nine-Nine may throw around a lot of meaningless technology terms, but the underlying message of cybersecurity is still important. Threats crawl into networks in many different ways. In this case, Knox used the team’s lack of technical knowledge to his advantage. This way of exploiting human psychology and interactions to accomplish malicious objectives is called social engineering.

Social engineering attacks often start with the perpetrator doing a background investigation of the target. Knox executed this well by making sure that Amy, the person who could recognize him, was not there in the morning.

The next social engineering tactic is to gain the victim’s trust and get them to bend or break standard security practices. Knox did this by seeming very credible as an IT guy from cyber operations. He nearly managed to pressure Holt into wiping the whole database clean to protect himself!

Social engineering relies on human rather than software error, which makes it harder to predict and identify. Thwarting social engineering techniques is a shared responsibility between IT and security leaders, who have extensive knowledge about cybersecurity, and all other employees. It requires a collective effort to ensure that everyone is cyber-aware and well-educated to identify threats.