What did Brooklyn Nine-Nine S6E14 get wrong about cybersecurity? Just about everything.

Last updated on August 31, 2022.

When we watched the Brooklyn Nine-Nine episode “Ticking Clocks” (S6E14) earlier this year, we were pretty excited when DNS was mentioned.  That’s kind of our jam.

But here’s the thing: just about all of the technical speak in that episode was basically incorrect. So like the fact-checking DNS geeks we are, we decided to correct the record with resident Director of Solution Architects Noel Reynolds, one jargon-y misstatement at a time. You’re welcome.

Brooklyn Nine-Nine S6E14 – Ticking Clocks: A Quick Recap

If you haven’t seen ‘Ticking Clocks’, here’s what happened: With the help of Sergeant Knox, a guy from Cyber Operations, the Nine-Nine races to save the precinct from a massive security breach. Spoiler alert: the hacker behind it all turns out to be Knox himself! Amy, who arrived at the scene late, was only able to identify the guy as a disguised suspect because it was a case she worked on. The rest of the team was completely oblivious because Knox has been taking advantage of their lack of technical knowledge all along.

Here’s a list of all the errors we found:

01:59 – “This is Sergeant Knox from Cyber Operations. He’s discovered the reason for our network issues.”

Sergeant Knox, the IT guy from Cyber Operations, comes to analyze the problem from the captain’s laptop. That’s already fishy, Noel says. Holt may be a Captain but he is just a user with a user device. His laptop shouldn’t hold special IT-related controls. Especially with security solutions like BlueCat’s DNS Edge, network admins can apply policies to control access for every client based on their role.

So unless it’s a problem with the hardware, Knox taking a look at Holt’s laptop isn’t necessary.

Then why is he there? Clearly not to ‘fix the internet’. (Pro tip: the internet is never down. The issue may be your network, the server, or something else entirely.)

02:21 – “The hacker’s already used an ARP to resolve the host name with the DNS server.”

Here’s the truth: all those words are unrelated. ARP stands for Address Resolution Protocol, a data-link layer protocol that resolves an IP address to a MAC (Media Access Control) address, which is basically a physical network address. On the other hand, DNS (the Domain Name System) resolves domain names to IP addresses. IP networks require ARP to function, so if ARP isn’t working, DNS won’t work. Other than that, DNS and ARP are distinctly separate.

02:24 – “They are trying to get root access by connecting the OSI network to the data link.”

First of all, OSI isn’t a network, it’s a model for networking. The OSI model is a 7-layer network model that defines the communication functions of a computing system. Data link is the second layer of the OSI model, not something a network would connect with. The data link layer’s main function is to regulate the flow of data in and out of a physical link to a network.

Root access means having full permission to do anything on a device. It has nothing to do with the OSI model. Not all network tools offer root access ,but to make significant changes and customize features, root access is a necessity. (That’s why BlueCat offers added an extra layer of security by integrating with CyberArk).

02:37 –  “They’re almost through our defenses.”

Security ‘defenses’ in a cyber environment do exist, however, this line is imprecise. The more accurate term for this would be defense in depth, which refers to a cybersecurity approach in which multiple defensive mechanisms are layered to protect that environment.

Some common security elements found in a defense in depth strategy would include network security controls such as an external firewall, endpoint protection, data integrity tools, and more. For heightened visibility and control, DNS security solutions could also be involved.

02:40 –  “If we can’t stop them, they’ll be inside our server in… 19 minutes!”

In reality, Noel counters, most cybersecurity threats aren’t associated with deadlines or time limits. A deadline could apply to some form of Ransomware the encryption keys to ‘hostage’ files are deleted if the malicious actor doesn’t receive payment.

What usually happens is this: compromised users will be notified by one of their many security solutions detecting anomalous activity on their network requiring investigation. Once a malicious activity is found, the first step to take is to shut off  access because they likely would have elevated their privileges to gain access to important parts of the network.

Next, everything that the malicious actor and the infected user has accessed also need to be analyzed. Advanced security tools like the ones BlueCat offers can play a big part here – BlueCat makes it easy to root out “patient zero” in a cyberattack and reduce the time needed to remediate breaches. The steps to trace the stages of a cyberattack from early threat reconnaissance to data exfiltration is called a cyber kill chain.

03:20 – “I’ve tried removing the server from the chain, but the hacker blocked the protocol.”

These words are just more tech jargon strung together to form meaningless sentences. ‘Removing the server from the chain’, in more accurate terms, could mean that Knox has tried removing the server from the network. In that case, he would have air-gapped the computer, isolating it from any internet connection. Maybe this is why the precinct’s connection is down in the first place!

“Blocking the protocol” is also too vague to mean anything. There are many different network protocols that Knox could have meant – was it the TCP/IP protocol? The DNS protocol? The DHCP protocol? To make sense, this line requires more details.

03:34 – “I have an override code I can use to wipe the servers clean.”

As the clock ticks, Captain Holt suggests using his override code to delete the entire server database. This is unrealistic because as a user, the captain would not have this type of privilege. With a security solution, network admins can apply policies to control access for every client based on their role (like the role-based access control BlueCat provides).

More questions arise when they reveal that the server is only backed up twice a year. Today, both physical and virtual servers get backed up as often as once every 30 minutes to once a week minimum!

04:22 – “They [the malicious actor] must be going through a physical AP!”

If someone was attempting a breach of a physical access point (AP) they would have to physically tamper with WiFi routers and ethernet cables.  These are typically located on the ceiling. If we take the statement at face value, going through a physical AP would mean tampering with a device on the ceiling in the middle of the day. With the type of security you’d expect from a police precinct in Brooklyn, this is unrealistic.

15:16 – “We just got a NOS ping from the first floor. The hacker is in room 103!”

A ping is a signal used to test the reachability of another computer or network. A NOS ping, however, is just the abbreviation of ‘Network Operating System’ and the word ‘ping’ strung together! Instead, Noel counters, the best way to find the location of a device within an environment is to use the wireless LAN system itself to identify the location of the rogue device.

Oblivious, the team follow Knox’s fake directions, nearly letting him get away with his plan. Luckily, the squad races back to Holt’s office just in time to stop him from wiping the database.

With how Knox nearly got away with his malicious plan, the precinct’s security may have had its flaws. But the main threat that day? Social engineering.

Social engineering and the importance of cybersecurity awareness

The characters in Brooklyn Nine-Nine may throw around a lot of meaningless technology terms, but the underlying message of cybersecurity is still important.  Threats crawl into networks in many different ways. In this case, Knox used the team’s lack of technical knowledge to his advantage. This way of exploiting human psychology and interactions to accomplish malicious objectives is called social engineering.

Social engineering attacks often start with the perpetrator doing a background investigation of the target. Knox executed this well by making sure that Amy, the person who could recognize him, was not there in the morning.

The next social engineering tactic is to start gaining the victim’s trust and getting them to bend or break standard security practices. Knox did this by seeming very credible as an IT guy from cyber operations. He nearly managed to pressure Holt into wiping the whole database clean to protect himself!

Social engineering relies on human rather than software error, which makes it harder to predict and identify. Thwarting social engineering techniques is a shared responsibility between IT and security executives who have extensive knowledge about cybersecurity, and all other employees, in ensuring everyone is cyber-aware and well-educated to identify threats.