Twitch Internal Security Tools: In-depth Analysis of the Leaked Twitch Security Tools
- 27 mins
How was Twitch hacked? What security controls did Twitch build?
The Twitch breach revealed more than 120 internal security tools developed by the Twitch Security team.
I analyzed all the leaked security tools that were developed by Twitch Security. Check out the full research.
Background
Twitch is an interactive live-streaming service for content, gaming, entertainment, sports, and music. In 2015, Amazon acquired Twitch for $970 million, and after COVID-19 time, its market value skyrocketed as more people adapted to live-streaming from home.
On October 6, 2021, it was announced that Twitch suffered a massive data breach that leaked the source code, internal databases, revenue documents, and payout documents of their members.
The security tools of Twitch were leaked during the breach. Twitch Security has clearly invested a lot of time and effort in building its security program. This can be seen from the tools published on the Internet; the majority of companies with mature security programs today have less than 50% of what Twitch Security has internally built over the years.
I analyzed all the security tools written by Twitch Security. I thoroughly reviewed the source code, configurations, build config process, and everything that has been leaked and became public knowledge on the Internet within the breach.
In this blog post, I’m analyzing all the security tools that Twitch Security built within its security program. I’m also tagging them based on the use case, services, and categories. This research should act as a reference to learn how modern security teams build their programs and to get inspired into enhancing currently-running security programs.
At the end of the blog post, I will share my thoughts on the breach, how I feel about it, and what could have been done by Twitch to handle this breach in better ways.
Table of Contents
- Background
- Leaked Tools
- Final Thoughts
- References
Who Am I?
I’m a cyber security engineer who specializes in AppSec, InfraSec, and building security programs. Read more about my previous work at mazinahmed.net. I also built FullHunt.io, Stressful.io, tfquery, and few open-source security tools.
Leaked Tools
1) Tool: agentconn
Description: A simple Go package to open an ssh-agent socket.
Tags: script, package
2) Tool: apache-pf-deb-build
Description: Apache PingFederate Module Deb Package Builder.
PingFederate is an enterprise federation server that enables user authentication and single sign-on. It serves as a global authentication authority that allows employees, customers, and partners to access all the applications they need from any device securely.
This module is a builder for integrating PingFederate with Apache.
Tags: apache, authentication, authorization, pingfederate
3) Tool: AWS-Cloudtrail-Security-Configs
Description: Miscellaneous scripts for configuring AWS cloudtrails
Tags: aws, cloudtrails, config
4) Tool: AWS-Cloudtrail-Security-tform
Description: This is the terraform version of the configuration at AWS-Cloudtrail-Security-Configs.
Tags: terraform, aws, cloudtrails, config
5) Tool: bastion-squid-build
Description: A patch file for Squid config that is used on “Bastions” service.
Tags: squid, config
6) Tool: bastionmetrics
Description: An old script that pushes logs from a service called “Bastions”.
Tags: logging, automation
7) Tool: beholder
Description: An internal Python Flask app for Security to run reports against Jira and Google Sheets to get team program reports and metrics.
It also has a script to login to ECR using AWS aws role-assume with a duration of 900 seconds, and stores secrets within AWS Secrets Manager.
Tags: reporting, automation, google-spreadsheets, jira
8) Tool: beholder-terraform
Description: Configuration for deploying “beholder” project through Terraform.
Tags: terraform, config
9) Tool: cdn_finder
Description: This is a script to take zone files / DNS records, pull the CNAME, and determine what CDNs are in use based on the associated CNAME.
The script has an SSL certificate parser, but the data-pulling capability is manual. It has instructions on how to pull DNS records from Infoblox (a cloud product that runs DNS management services), and AWS Route53
Tags: automation, cdn
10) Tool: cfn-templates
Description: Incomplete repository for AWS CloudFormation templates
Tags: aws, cloudformation
11) Tool: cloudflare-lambda
Description: A Lambda that continuously hits CloudFlare API, pulls requests logs, and pushes it to S3.
CloudFlare supports, by default, automated archiving to S3. It’s not clear why this option was made instead of using the CloudFlare option.
Tags: cloudflare, logging, automation
12) Tool: cloudflare-parsing
Description: A script to parse CloudFlare logs into a format that is easier to read.
It supports two formats, custom JSON format, and another format that is easier to use with AWS Athena.
Tags: aws, athena, cloudflare, logging
13) Tool: cloudflare 2 elasticsearch
Description: A script to push Cloudflare logs from a local machine to Elasticsearch.
Tags: cloudflare, elasticsearch
14) Tool: codename-generator
Description: A script to generate code names through the “pycorpora” Python package.
Tags: miscs
15) Tool: contingent-auth-policies
Description: A repo that stores a single AWS policy.
The policy seems to be permissive and allows actions that can be insecure. Also, it’s set to “*” wildcard resources. It’s not clear who this policy has assigned to.
Tags: aws
16) Tool: credentialchecker
Description: A lambda app that checks for leaked credentials against Twitch for risk calculation purposes. Also called “ Arstotzka”. It takes a list of breach lists (email:password, username:password), and runs the data against Twitch users. It runs manually; not when a user-logged in against the hash, so it’s unclear how passwords are stored internally (is it stored in plain text? that’s why this tool is made possible?).
Tags: passwords, aws, s3, lambda, sqs
17) Tool: credentialchecker-vendor
Description: Vendor packages for credentialchecker build.
Tags: miscs
18) Tool: ctfd
Description: Clone of the CTFd public platform repository.
Tags: ctf
19) Tool: cwijulia-sandbox
Description: A security experiment to evaluate the accuracy of results provided by AWS ECR vulnerabilities feeds.
Part 1: Terraform code is made to set up a network on AWS. It sets up EC2, VPC, route tables, and subnets through Terraform modules. Part 2: It deploys an ECR image that has a vulnerable Cron package. This image will be ideally scanned by AWS ECR. The goal is to find if AWS ECR will report the vulnerable Cron package through its identified vulnerabilities feeds. This process is automated through different scripts.
Tags: research, aws, ecr, terraform, vulnerability
20) Tool: duo_logging
Description: CloudFormation configuration to configure a Lambda to write Duo Security logs to S3.
Tags: duo, lambda, aws, s3, cloudformation
21) Tool: duoauthproxy
Description: Duo Security Authentication proxy - Empty repository.
Tags: duo
22) Tool: duoauthproxy_build
Description: Duo Authentication Security - Build package.
Tags: duo
23) Tool: duoauthproxy-build
Description: Duo Authentication Security - Build package, made for Ubuntu.
Tags: duo
24) Tool: ephemeral cert
Description: A Golang package to generate self-signed TLS certificates and return tls.Certificate object with a default common name to “localhost”.
Tags: tls, certificate, golang
25) Tool: fluxo
Description: A tool to fetch data from an Amazon service that seems to be for threat intelligence, and stores it on Jira and Dynamodb.
Tags: cti, ti, threat-intel, amazon, jira, aws, dynamo
26) Tool: go-audit
Description: Clone of the public go-audit repository.
Tags: golang, miscs
27) Tool: go-audit-build
Description: Build package for go-audit.
Tags: miscs
28) Tool: go-sirtbot
Description: A Slack bot written in Golang - seems incomplete.
Tags: golang, slack, automation
29) Tool: go-squid-duoauth
Description: Squid Go Authentication Helper. Deprecated project.
Tags: golang, duo-security, squid
30) Tool: go-ykpiv
Description: An internal fork of go-ykpiv. go-ykpiv is a Golang interface to manage Yubikeys, including a crypto.Signer & crypto.Decrypter interface.
The changes related to this package are within the build process.
Tags: golang, yubi-keys, crypto
31) Tool: golang-x-crypto
Description: A clone of Golang crypto libraries.
Tags: golang, crypto
32) Tool: gophish-config
Description: Minimal configurations for GoPhish server.
Tags: golang, gophish, config
33) Tool: gravitational-teleport
Description: Clone for Gravitational Teleport, Certificate authority and access plane for SSH, Kubernetes, web applications, and databases.
Tags: golang, kubernetes, teleport, rbac
34) Tool: gsuite-hourly
Description: A script that pulls logs from Google Gsuite every hour, and store it into AWS S3.
Tags: gsuite, s3, logging
35) Tool: homebrew
Description: a Homebrew repository that hosts macOS software distributed by the security team.
Tags: macos, homebrew
36) Tool: hunts
Description: Threat Hunting playbooks. It consists of write-ups of running threat hunt activities for AWS, Duo Implementation, Command and Control activities, reverse TCP tunneling, and general suspicious activities.
Tags: threat-hunting, cti, aws, duo
37) Tool: Inquisitor
Description: A well-architectured secrets discovery tool that can identify secrets within JIRA tickets and Git commits. It also has an integration with alerting via modules, including standard screen logging, email alerting, and creating a ticket on Jira.
Tags: appsec, secret-detection, jira, git, automation
38) Tool: jupyterhub
Description: Shared notebook environment for SIRT.
Tags: jupyter, notebook
39) Tool: lambda-amazonsg
Description: Lambda function to manage security groups within AWS.
Tags: aws, lambda, security-groups
40) Tool: lambda-athenalert
Description: An AWS Lambda function that can automatically run an Athena query and raise an alert if there are any results. It is most useful when run on a cron via CloudWatch events.
Tags: aws, athena, cloudwatch, lambda
41) Tool: lambda-autocert
Description: A lambda function that automates the process of renewing TLS certificates from Let’s Encrypt using Route 53 and the ACME dns-01 challenge.
Tags: aws, lets-encrypt, lambda, tls
42) Tool: lambda-autosg
Description: An AWS Lambda function that can allow for dynamic security group egress rules based on DNS hostnames. It is most useful when invoked as a con job at regular intervals (e.g. 1 minute) to update rules when a DNS record changes.
Tags: aws, lambda, automation, dns
43) Tool: lambda-dogfish-sg
Description: An AWS Lambda function that consumes IP prefix information from Amazon Dogfish and writes them to a specified AWS security group.
Amazon Dogfish seems to be an internal Amazon service.
Tags: aws, lambda, dns, security-groups
44) Tool: lambda-teleportmon
Description: An internal service called “lambda-teleportmon”. It’s unclear on what the purpose of the service is.
Tags: aws, lambda
45) Tool: maxmind-backup
Description: An AWS Lambda function that downloads the latest release of the Maxmind DB, and stores it in S3.
Tags: aws, s3, lambda, maxmind
46) Tool: nabu
Description: Twitch Security internal security scanner. It seems to be a work-in-progress and has not been completed. It’s also unclear what it will cover or detect.
Tags: appsec, security-scanning
47) Tool: naive
Description: A repository for collecting Regular expressions that can be useful in different scenarios. The repository seems empty.
Tags: appsec, regex
48) Tool: netscrape
Description: A repository that hosts Cloudformation config. It’s described as a place to hold source code and other assets for the Netscrape campaign.
Tags: cloudformation
49) Tool: nice
Description: Nice is a suite of security-oriented static analysis tools for Go. It uses go/analysis framework to run static code analysis on Golang code.
Tags: golang, sast
50) Tool: notebook-template
Description: Notebook template for threat hunting
Tags: cti, threat-hunting
51) Tool: notebooks
Description: Another repository of notebooks for threat hunting. It covers machine-level checks, including device encryption, and checks for unmanaged devices.
Tags: cti, threat-hunting
52) Tool: nuget-security
Description: NuGet Package provided by Twitch Application Security.
Uses external project https://github.com/security-code-scan/security-code-scan) and the security rules of https://github.com/dotnet/roslyn-analyzers.
This is a C# and VB.NET static code analyzer that allows the detection of security vulnerabilities, including SQLI, RCE, XSS, etc. It also supports running within the CI pipeline and does its scanning through taint analysis for input data.
Tags: ci, vb.net, c-sharp, static-code-analysis
53) Tool: odds-n-ends
Description: A general repository for Security snippets. It includes one script that pulls SalesForce event logs and dumps logs into S3.
Tags: salesforce, automation, s3
54) Tool: opentoken
Description: This is a Go library that can encrypt and decrypt OpenTokens.
It is based on this RFC: https://tools.ietf.org/html/draft-smith-opentoken-02
OpenToken used to be a popular protocol for transmitting secure tokens.
Tags: opentoken, open-token, auth, golang
55) Tool: organizations-guardduty
Description: A Python script that enables AWS Guardduty, and sends logs into S3, so it can be easily monitored. By default, it’s not a straightforward process to configure this correctly, this script helps automate the majority of steps from enabling the operationalizing of logging for Guarduty.
Tags: aws, guardduty, s3, continuous-monitoring, alerting
56) Tool: osiris
Description: Osiris is a library for building and deploying serverless web apps on Amazon Web Services, with a focus on simplicity and ease of use. It provides a simple way to build the application and tools to deploy it to AWS.
An application built with Osiris is deployed to AWS as a Lambda function and an API Gateway API. Configuration is generated for CloudFormation to define the application resources.
This repository includes configurations for app deployments within Twitch Security.
Tags: osiris, aws
57) Tool: osiris-admin
Description: A bash script to automate the management of osiris.
Tags: osiris, automation
58) Tool: osiris-app
Description: A deployment configuration for osiris.
Tags: osiris, automation
59) Tool: osiris-config
Description: Configuration for deploying Osiris through AWS CloudFormation.
Tags: osiris, automation, cloudformation
60) Tool: osiris-debs3-proxy
Description: Empty repository.
Tags: osiris
61) Tool: osiris-health
Description: Osiris health check script.
Tags: osiris
62) Tool: osiris-pki-server
Description: Internal PKI server that covers Duo Security, and YubiKey
Tags: osiris, duo-security, yubi-key
63) Tool: osiris-registration
Description: This is a Lambda function that automates the registration process for a new Osiris stack instance. It primarily manages the DNS delegation process, subject to the requisite authorization checks (which are stored in a DynamoDB table).
Tags: osiris, aws, lambda
64) Tool: osiris-selfservice
Description: Empty repository.
Tags: osiris
65) Tool: osiris-static-site
Description: CloudFormation template to deploy static sites through Osiris.
Tags: osiris
66) Tool: osiris-update-stack
Description: Lambda function for scheduled updates of the Osiris CloudFormation stack.
Tags: osiris
67) Tool: osiris-v2
Description: A deprecated repository.
Tags: osiris
68) Tool: osiris-yubikey-client
Description: This is the client for the osiris-pki-server, with a focus on issuance of certificates for Yubikeys.
Tags: osiris, yubi-key
69) Tool: ovpnmetrics
Description: This python script scrapes metrics from OpenVPN Access Server (using the local SQLite log database) and writes them to graphite.
Tags: openvpn, graphite
70) Tool: pandora-mvp
Description: An internal project that uses SSM, S3, and EC2 APIs.
Tags: aws, s3, ec2, ssm
71) Tool: pandora-prototype
Description: Testing repository with CloudFormation configuration.
Tags: cloudformation
72) Tool: password-exploration
Description: An experiment that hosts passwords from 000webhoost, antipublic_combo, exploit.in database leaks. It uses AWS Athena and S3 to store datasets. The playbook shows queries to search compromised accounts that were leaked by Twitch employees.
Tags: database-leaks, passwords, aws, athena
73) Tool: rpm-s3
Description: A Clone of https://github.com/crohr/rpm-s3 that is made to work with the newer Python boto3 library.
Tags: rpm, aws, s3
74) Tool: secretsurfer
Description: A secret detection tool that scans for secrets in Git commit history, and reports whenever it finds a secret. It has the capability to validate specific findings for AWS credentials, Slack webhooks, and Twitch 0Auth tokens.
It seems that Twitch has put major efforts into having multiple tools for preventing secrets at scale. This is not the only tool that does secrets detection that was internally developed by Twitch.
Tags: secret-detection
75) Tool: securitycenter-jira
Description: This repository contains Twitch v1.0.0 of the Tenable SecurityCenter-JIRA integration originally written by Tenable Network Security.
The official release by Tenable was v1.1.1, which has been archived and is available in the security/securitycenter-jira-archive repository for historical knowledge.
The project ingests findings from Tenable, and stores it into JIRA tickets for tracking vulnerabilities.
Tags: jira, tenable, security-scanning
76) Tool: securitycenter-jira-archive
Description: An archive of securitycenter-jira.
Tags: jira, tenable, security-scanning
77) Tool: shuffle
Description: Shuffle is a small piece of automation that can make OpenVPN ACL changes. It is useful when a service’s IP addresses change.
It is made of two components:
- An AWS Lambda function that runs in response to an SNS trigger. The message from SNS contains details about the service and the change.
- A Python script (“shuffle-applier”) that runs on the OpenVPN AS server. It is responsible for the low-level ACL changes.
The Lambda function triggers the applier script via Amazon Systems Manager.
Tags: aws, lambda, openvpn
78) Tool: sift-aws
Description: SIFT AMI for Twitch SIRT. This is a collection of Ansible playbooks that builds and provisions a SIFT workstation.
The SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings.
Tags: sift, forensics, ansible
79) Tool: sirt_alerts
Description: A Git repository of SIRT alerts and playbooks. It seems to be categorized according to the MITRE ATT&CK framework. It also covers playbooks for several TTPs on macOS, Windows and AWS.
Tags: mitre, att&ck, ttps, macos, windows, aws, incident-response
80) Tool: sirt_alerts_archive
Description: A Git repository that seems to be an archive of sirt_alerts. It covers a large number of playbooks and incidents detection write-ups.
Tags: mitre, att&ck, ttps, macos, windows, aws, incident-response
81) Tool: sirt_lookup_tables
Description: Several CSV files that acts as a lookup table. It includes files for: TOR exit nodes, URLHAUS malicious urls, Pacu User-Agents, malicious Chrome extensions, and low-reputation IPs.
This seems to be used in threat detection.
Tags: threat-detection, cti, tor, urlhaus
82) Tool: sirt_range_dev
Description: Empty repository.
Tags: empty
83) Tool: sirt-520
Description: sirt-520 contains a single HTML/JavaScript file with no details. Reading the code, it seems to be a malware piece that acts as wormable payloads for pulling contacts from Google Contacts and then sending malware emails. The TTP used here is novel. The URL that is being sent to contacts is an authorization page for Google apps, where the app is authorized to get emails and contacts.
The concept bypasses Google Safe url checks as the url being shared in the email points to https://accounts.google.com.
Tags: phishing, TTP, google-apps, gsuite, exploit
84) Tool: sirt-detection-ec2-instances
Description: This repository contains provisioning scripts that initialize Windows and macOS machines and install detection agents. The detection agents used in the scripts are: CrowdStrike Falcon and Uptycs.
It uses Terraform to deploy the machine, Bash for macOS machines, and Powershell for Windows machines.
Tags: crowdstrike, uptycs, aws, terraform, ec2
85) Tool: sirt-dns_report
Description: This script is made for continuous monitoring purposes of the DNS infrastructure of Twitch. Twitch has a service called “changelog” that contains the DNS records of Twitch, and can be called through a REST API.
The script pulls all the changelog, and sends an alert for changes to Twitch Security email that automatically creates a JIRA ticket based on the email.
Tags: jira, email, smtp, dns, infrasec
86) Tool: sirt-gophish
Description: Re-deployable gophish infra for SIRT to run phishing exercises. It also includes Terraform code for deploying gophish with all the required configuration.
Tags: gophish, phishing, golang, terraform
87) Tool: sirt-jira-issue-escalator
Description: A Lambda function that pulls data from JIRA through a JQL query that fetches tickets not marked as “Done”, and then pushes metrics to CloudWatch.
Tags: cloudwatch, jira
88) Tool: SIRT-JiraBot
Description: JiraBot is modeled after Dropbox’s SecurityBot https://github.com/dropbox/securitybot.
It includes JQL queries, interactive messages for Slack.
The purpose of the tool is to allow interaction with security projects on JIRA. It runs on AWS Lambda.
Tags: jira, securitybot, slack, aws, lambda
89) Tool: sirt-jirahandler
Description: An incomplete project. It manages Jira tickets through the Jira Python library.
Tags: jira
90) Tool: sirt-misp-cdk
Description: CloudFormation port of a MISP deployment in Pulumi. A work-in-progress project.
Tags: pulumi, cloudformation
91) Tool: sirt-pulumi
Description: A customized version of https://github.com/MISP/misp-docker.
Tags: misp, docker, pulumi
92) Tool: sirt-report
Description: A script that pulls open incidents from JIRA and sends it as an email to Twitch Security team as a report.
Tags: jira, incident-response, reporting
93) Tool: sirtbot
Description: A Slack bot that is based off a fork of https://github.com/lins05/slackbot.
Tags: slack
94) Tool: SIRTGuardDutyRole-cloudformation
Description: A cloudformation config to enable Twitch SIRT to access GuardDuty in the target account.
Tags: aws, guardduty, cloudformation
95) Tool: sirtjira
Description: Another library to interact with Jira. It has the capability to create issues, manage issues, add comments, and other similar features.
Tags: jira
96) Tool: sirtlib
Description: An automation Python library to interact with Splunk, Uptycs, Amazon Anamoli (Internal Amazon Security service), and Salesforce IDM.
Tags: python, splunk, amazon, salesforce, uptycs
97) Tool: slaughter_bot
Description: An automation bot that can send emails, pull open risks and incidents from Jira, and put them into Spreadsheet.
Tags: spreadsheet, jira, email
98) Tool: sonarvet
Description: A report parser for SonarQube written in Golang.
Tags: sonarqube
99) Tool: spark_from_athena_uptycs
Description: A script to generate queries for AWS Spark and AWS Glue. It seems to use AWS Athena and Uptycs for the queries.
Tags: aws, athena, aws-athena, aws-spark, aws-glue, uptycs
100) Tool: splunk-hec-go
Description: Splunk HEC Golang Library. It’s a forked version of https://github.com/fuyufjh/splunk-hec-go.
Tags: splunk
101) Tool: splunk-saved-searches
Description: Repository to manage the configuration for saved searches/alerting in Splunk to be integrated with an automated deployment lambda function.
Tags: splunk, incident-response
102) Tool: squidmetrics
Description: Squid statsd publisher. This python script scrapes metrics from Squid (using the local manager interface) and writes them to statsd/statsite.
Tags: squid, metrics
103) Tool: ssm-logging-enrollment
Description: ssm-logging-enrollment. A simple script to enable CloudWatch logging for SSM session manager.
Tags: aws, cloudwatch, ssm, session-manager, logging
104) Tool: subdomain_checker
Description: Subdomain Takeover Checker. Check if a list of sites is vulnerable to an S3 Bucket or Cloudfront CNAME Hijack.
It has a feature to automatically claim vulnerable CloudFront and AWS S3 buckets that are not publicly claimed.
Tags: aws, subdomain-takeover, s3, cloudfront
105) Tool: tails
Description: Empty repository.
Tags: empty
106) Tool: takeover_check
Description: SIRT Takeover DNS Checker. Sweeps across domains to find subdomain takeover vulnerabilities.
It checks for AWS Beanstalk, CloudFront, S3, and signs of misconfiguration.
Tags: aws, cloudfront, s3, subdomain-takeover
107) Tool: teleport
Description: Teleport configuration repository.
Tags: teleport
108) Tool: teleport-configuration
Description: Teleport Configuration. This repository contains configuration files in YAML format for Teleport.
Tags: teleport
109) Tool: teleport-dashboard
Description: Teleport dashboard.
Tags: teleport
110) Tool: teleport-dns-guardian
Description: Teleport DNS Guardian. A small Python utility intended to be run as an AWS Lambda function. It can be used as part of a DNS round robin load balancing setup to keep the list of IPs in the DNS record updated based on Consul. It’s best to run once per minute.
Tags: teleport
111) Tool: teleport-enterprise-build
Description: Teleport Enterprise package builder.
Tags: teleport
112) Tool: teleport-remote
Description: This includes the components to build and manage remote Teleport clusters.
Tags: teleport
113) Tool: teleport-util
Description: This contains utilities used for managing or automating the Teleport deployment at Twitch.
Tags: teleport
114) Tool: terraform
Description: Security-related Terraform configuration.
Tags: terraform
115) Tool: tf-asg
Description: A Terraform module to create and manage autoscalling group.
Tags: terraform
116) Tool: tf-lambda-dogfish-sg
Description: Terraform module to manage “dogfish” project.
Tags: terraform
117) Tool: tf-teleport
Description: Terraform module for setting up teleport.
Tags: terraform
118) Tool: tf-teleport-auth-lb
Description: Terraform module that creates a network loadbalancer for Teleport auth service.
Tags: terraform
119) Tool: tf-teleport-dns-guardian
Description: Terraform module for setting up a lambda function to manage Teleport’s DNS round robin records.
Tags: terraform
120) Tool: threat-modeling
Description: A repository that hosts a threat-modeling diagram built with PlantUML about a portion of Twitch threat-model.
Tags: threat-modeling
121) Tool: tshproxy
Description: This is a shim meant to wrap tsh and ssh for use in a ProxyCommand. It primarily exists to automatically install or renew an SSH certificate if it is expired or doesn’t exist.
Tags: ssh, proxy
122) Tool: twitch-bastion-util
Description: This script will automate the client-side configuration steps process for the Twitch Bastion (an internal service). Specifically, it will install the Teleport client software and configure the ssh client to access production via a bastion host.
Tags: teleport
123) Tool: twitch-glitch-bot
Description: Slack bot that interacts with Jira, Slack and PagerDuty.
Tags: pagerduty, slack, jira
124) Tool: twitch-public-s3-bucket
Description: A CloudFormation template that provisions an internal S3 bucket.
Tags: s3, aws, cloudformation
125) Tool: TwitchyOmega
Description: A forked version of https://github.com/FelisCatus/SwitchyOmega.
Tags: proxy, SwitchyOmega, chrome, chrome-extension
126) Tool: UbuntuVulnData
Description: A report parser tool that contextualizes vulnerability reports on Ubuntu AMIs that are not enriched with additional vulnerability details.
Tags: vulnerability-management
127) Tool: vacation-calendar
Description: A Google Suite App that syncs team calendar when a member takes a vacation.
Tags: google-suite, gsuite, automation, productivity
128) Tool: wireguard-gateway
Description: Wireguard gateway: a framework to setup a full Wireguard infrastructure on AWS.
Tags: wireguard
129) Tool: yeti-infra
Description: An incomplete project. It’s a Terraform module for deploying YETI project for threat-intelligence.
Tags: terraform, threat-intelligence
Final Thoughts
Twitch Security invested thousands of hours in building its security tools and security program. I consider the tools developed internally to be advanced, well-thought, and have done with excellent use cases. At the time of writing the blog post, Twitch has not released a postmortem yet about the Twitch breach, how it happened, and technical details about the breach.
Although the leaked security data covers the tools, it doesn’t cover the security architecture and the security program details. It’s hard to come up with a definite conclusion of how the breach could have happened.
I can see that there is less focus on the tools for Identity Management and Access Control. Also, I can not see tools or references for the Security automation of SAST to scan the CI pipeline. Assets Discovery is done well, but I can not see AWS-related checks for AWS Policies and Role-Based access validation.
The continuous security scanning from an AppSec perspective seems limited from seeing the developed tools. It’s possible that Twitch is running COTS tools instead of building their tools internally, but this also is not clear, as I haven’t seen ingestion for commercial DAST tools.
The Twitch breach acts as a reality check on organizations and companies that are building their security program. The possibility of a breach is always there, and organizations can take the next step and work in “assume-breach” playbooks and build additional security controls for their security program.
About FullHunt.io
FullHunt is the Next-Generation Attack Surface Management Platform. FullHunt enables companies to discover all of their attack surfaces, monitor them for exposure, and continuously scan them for the latest security vulnerabilities and risks. We help companies around the world secure their external attack surface using our technologies that are scanning millions of Internet-connected assets and cloud resources.
Are you an enterprise that is looking to build security for its External Attack Surface? Please reach out to us at fullhunt.io, and we will be happy to solve your challenges.
References
- https://www.bbc.com/news/technology-58817658
- https://www.theverge.com/2021/10/6/22712365/twitch-data-leak-breach-security-confirmation-comments
- https://www.nytimes.com/2021/10/06/technology/twitch-data-breach.html
Mazin Ahmed
Thoughts of a hacker