Older than I’d like to imagine
Do InfoSec stuff
Would rather be
Who Am I?
@markofu
Slide 4
Slide 4 text
100 MILLION
MONTHLY ACTIVE
PLAYERS
MORE THAN
27 MILLION
DAILY ACTIVE
PLAYERS
MORE THAN
7.5 MILLION
PEAK CONCURRENT
PLAYERS
Slide 5
Slide 5 text
Aspire
eSports
Slide 6
Slide 6 text
Aspire
Who Are We?
Slide 7
Slide 7 text
AGENDA
Who
Getting to the Nexus
2015
2018
Slide 8
Slide 8 text
No content
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
IR
Slide 11
Slide 11 text
!!
# of VPNs
VPC
VPC
VPC
AWS
Slide 12
Slide 12 text
What brought us agility also brought
us the Wild Wild West of Computing
Slide 13
Slide 13 text
No content
Slide 14
Slide 14 text
No content
Slide 15
Slide 15 text
RFCs=Tech Design
Slide 16
Slide 16 text
RFC Feedback
Not an approval process, it’s about receiving advice!
Becomes a standard through adoption @ scopes
Received comments & iterate through the draft
Slide 17
Slide 17 text
Goal :: Alignment with Rioters on a secure standard for our office builds,
with our offices being treated as code
Why :: We had no visibility and couldn’t do Incident Response effectively
How :: Document, Receive Feedback, Iterate & ultimately create a
defendable network capable of alerting and forensics
RFC0242
Slide 18
Slide 18 text
No content
Slide 19
Slide 19 text
No content
Slide 20
Slide 20 text
AGENDA 2015
Who
2018
Getting to the Nexus
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
No content
Slide 23
Slide 23 text
Team
Slide 24
Slide 24 text
Where :: All offices worldwide (mandatory for code access)
How :: Automation& lots of air miles
What :: Centralisedlogging, Visibility, “Office as Code” & Threat Intel
RFC0242
Slide 25
Slide 25 text
No content
Slide 26
Slide 26 text
No content
Slide 27
Slide 27 text
No content
Slide 28
Slide 28 text
$
Slide 29
Slide 29 text
Prevention
Deterrence
Detection
Strategy
Slide 30
Slide 30 text
No content
Slide 31
Slide 31 text
No content
Slide 32
Slide 32 text
No content
Slide 33
Slide 33 text
No content
Slide 34
Slide 34 text
Secrets
Slide 35
Slide 35 text
Provides temporary AWS API tokens (via STS) & activity monitoring
MinimizeRemove the use of long-lived AWS API Keys => Less Impact
Metrics
AWSKey
Slide 36
Slide 36 text
No content
Slide 37
Slide 37 text
No content
Slide 38
Slide 38 text
No content
Slide 39
Slide 39 text
Cloud is Magic
Slide 40
Slide 40 text
Storytime
Slide 41
Slide 41 text
Problem Statement
While AWS is a great place to rapidly iterate and test
new features, the vast number of accounts, instances
and usage has no easy way of attributing a running
instance back to an owner or feature.
Ownership
Slide 42
Slide 42 text
Boil The Ocean
Slide 43
Slide 43 text
Why :: Incident Response is hard when you don’t know who owns what
Why :: If you don’t need it, why is it running?
What :: Tagging is incredibly easy to use to identify ownership
What, where,
who?
Slide 44
Slide 44 text
No content
Slide 45
Slide 45 text
Shrink the change => No decision paralysis
Feedback & moved to the adoption stage
Standard across Riot
Solution
Slide 46
Slide 46 text
Required Tags :: Name, Owner & Accounting
Schedule
At 0, 21 and 27 days => Notify Gatekeeper and owner (if possible)
At 4 weeks => Shutdown Instance
At 12 weeks => Terminate Instance
Tagging Details
Slide 47
Slide 47 text
Removes incorrectly tagged & un-owned AWS objects
Checks that security features are turned on throughout our AWS Infra
DNS hijacking & IAM policy management
Cinq Features
Slide 48
Slide 48 text
Code Time
Slide 49
Slide 49 text
MurderBot
Slide 50
Slide 50 text
Sad
Slide 51
Slide 51 text
Our communications & planning had gaps
Confusion around RFC Adoption
Our notification code had bugs
Learnings
Slide 52
Slide 52 text
Feedback
“By doing a RCA, the team has truly showed
themselves to be part of Engineering. We all make
mistakes - this is how we learn and improve.
/fistbump ”
Cam Dunn (Tech Director), Dec. 2016
Slide 53
Slide 53 text
2nd Adoption, Yay!
bcc Engineering
“Thanks for everyone's input and consideration for
RFC0026, aka MurderBot,over the last several
weeks. This is now adopted at Riot scope.”
Mike Seavers (Director of Engineering), Feb. 2017
Slide 54
Slide 54 text
No content
Slide 55
Slide 55 text
No content
Slide 56
Slide 56 text
The following resources are not compliant with the Required Tagging standards……..
Issues
Resource Resource Type Account Region Missing tags Notes Alert Info
i-0xyz EC2 Instance marky-mark us-west-2 owner, accounting No Notes 27 days alert
i-1xyz EC2 Instance marky-mark us-west-2 owner, accounting No Note Resource stopped
i-2xyz EC2 Instance marky-mark us-west-2 owner Owner tag is not valid Resource removed
i-3xyz EC2 Instance marky-mark us-west-2 name No Notes 0 seconds
Email Notify
Slide 57
Slide 57 text
OSS Cost
Slide 58
Slide 58 text
AGENDA 2015
Who
Getting to the Nexus
2018
Slide 59
Slide 59 text
RFC0242 :: Our focus is changing from Riot to Rioter
Auth :: No permanent credentials & enforced dynamic access policies
Everywhere :: More attribution & platform-independent solutions
Futures (1)
Slide 60
Slide 60 text
New & Shared :: Work with new products & try to solve with solutions that
can be leveraged by many
Measure :: Are we doing any good? If so, how and where?
Collaboration :: Bug Bounty++, OSS++ , Tools & Blogs (Int& Ext)
Futures (2)
Slide 61
Slide 61 text
Started :: DFIR & Emergent
Next :: Visibility, Being Embraced, Collaboration & Tools
Now :: Tools within Workflows, Occasional Blocking & Measurement
Evolution