Twitch Internal Security Tools: In-depth Analysis of the Leaked Twitch Security Tools

- 27 mins

How Twitch was hacked? What security controls did Twitch build?

The Twitch breach revealed more than 120 internal security tools developed by the Twitch security team.

I analyzed all the leaked security tools that were developed by Twitch Security. Check out the full research.

Background

Twitch is an interactive live-streaming service for content, gaming, entertainment, sports, and music. In 2015, Amazon acquired Twitch for $970 million, and after COVID-19 time, its market value skyrocketed as more people adapted live-streaming from home.

On October 6, 2021, it was announced that Twitch suffered a massive data breach that leaked their source-code, internal databases, revenue documents, and payouts documents of their members.

The security tools of Twitch were leaked during the breach. Twitch Security has clearly invested a lot of time and effort in building its security program. This can be seen from the tools published on the Internet; the majority of companies with mature security programs today do not have 50% of what Twitch security internally built over the years.

I analyzed all the security tools written by Twitch security. I thoroughly reviewed the source code, configurations, build config process, and everything that has been leaked and became public knowledge on the Internet within the breach.

In this blog post, I’m analyzing all the security tools that Twitch security built within their security program. I’m also tagging them based on the use case, services, and categories. This research should act as a reference to learn how modern security teams build their programs, and to hopefully get inspired into enhancing currently-running security programs.

At the end of the blog post, I will share my thoughts on the breach, how I feel about it, and what could have been done by Twitch to handle this breach in better ways.


Table of Contents

  1. Background
  2. Leaked Tools
  3. Final Thoughts
  4. References

Who Am I?

I’m a cyber security engineer that specializes in AppSec, InfraSec and building security programs. Read more about my previous work at mazinahmed.net. I also built FullHunt.io, Stressful.io, tfquery, and few open-source security tools.


Leaked Tools

1) Tool: agentconn

Description: A simple Go package to open an ssh-agent socket.

Tags: script, package


2) Tool: apache-pf-deb-build

Description: Apache PingFederate Module Deb Package Builder.

PingFederate is an enterprise federation server that enables user authentication and single sign-on. It serves as a global authentication authority that allows employees, customers, and partners to securely access all the applications they need from any device.

This module is a builder for integrating PingFederate with Apache.

Tags: apache, authentication, authorization, pingfederate


3) Tool: AWS-Cloudtrail-Security-Configs

Description: Miscellaneous scripts for configuring AWS cloudtrails

Tags: aws, cloudtrails, config


4) Tool: AWS-Cloudtrail-Security-tform

Description: This is the terraform version of the configuration at AWS-Cloudtrail-Security-Configs.

Tags: terraform, aws, cloudtrails, config


5) Tool: bastion-squid-build

Description: A patch file for Squid config that is used on “Bastions” service.

Tags: squid, config


6) Tool: bastionmetrics

Description: An old script that pushes logs from a service called “Bastions”.

Tags: logging, automation


7) Tool: beholder

Description: An internal Python Flask app for Security to run reports against Jira and Google Sheets to get team program reports and metrics.

It also has a script to login to ECR using AWS aws role-assume with the duration of 900 seconds, and stores secrets within AWS Secrets Manager.

Tags: reporting, automation, google-spreadsheets, jira


8) Tool: beholder-terraform

Description: Configuration for deploying “beholder” project through Terraform.

Tags: terraform, config


9) Tool: cdn_finder

Description: This is a script to take zone files / DNS records, pull the CNAME, and determine what CDNs are in use based on the associated CNAME.

The script has an SSL certificate parser, but the data pulling capability is manual. It has instructions on how to pull DNS records from Infoblox (a cloud product that runs DNS management services), and AWS Route53

Tags: automation, cdn


10) Tool: cfn-templates

Description: Incomplete repository for AWS CloudFormation templates

Tags: aws, cloudformation


11) Tool: cloudflare-lambda

Description: A Lambda that continuously hits CloudFlare API, pulls requests logs, and pushes it to S3.

CloudFlare supports by default automated archiving to S3. It’s not clear why this option was made instead of using the CloudFlare option.

Tags: cloudflare, logging, automation


12) Tool: cloudflare-parsing

Description: A script to parse CloudFlare logs into a format that is easier to read.

It supports two formats, custom JSON format, and another format that is easier to use with AWS Athena.

Tags: aws, athena, cloudflare, logging


13) Tool: cloudflare 2 elasticsearch

Description: A script to push Cloudflare logs from a local machine to Elasticsearch.

Tags: cloudflare, elasticsearch


14) Tool: codename-generator

Description: A script to generate code names through the “pycorpora” Python package.

Tags: miscs


15) Tool: contingent-auth-policies

Description: A repo that stores a single AWS policy.

The policy seems to be permissive and allows actions that can be insecure. Also, it’s set to “*” wildcard resources. It’s not clear who has this policy assigned to.

Tags: aws


16) Tool: credentialchecker

Description: A lambda app that checks for leaked credentials against Twitch for risk calculation purposes. Also called “ Arstotzka”. It takes a list of breach lists (email:password, username:password), and runs the data against Twitch users. It runs manually; not when a user-logged in against the hash, so it’s unclear how passwords are stored internally (is it stored in plain text? that’s why this tool is made possible?).

Tags: passwords, aws, s3, lambda, sqs


17) Tool: credentialchecker-vendor

Description: Vendor packages for credentialchecker build.

Tags: miscs


18) Tool: ctfd

Description: Clone of the CTFd public platform repository.

Tags: ctf


19) Tool: cwijulia-sandbox

Description: A security experiment to evaluate the accuracy of results provided by AWS ECR vulnerabilities feeds.

Part 1: Terraform code is made to set up a network on AWS. It sets up EC2, VPC, route tables, and subnets through Terraform modules. Part 2: It deploys an ECR image that has a vulnerable Cron package. This image will be ideally scanned by AWS ECR. The goal is to find if AWS ECR will report the vulnerable Cron package through its identified vulnerabilities feeds. This process is automated through different scripts.

Tags: research, aws, ecr, terraform, vulnerability


20) Tool: duo_logging

Description: CloudFormation configuration to configure a Lambda to write Duo Security logs to S3.

Tags: duo, lambda, aws, s3, cloudformation


21) Tool: duoauthproxy

Description: Duo Security Authentication proxy - Empty repository.

Tags: duo


22) Tool: duoauthproxy_build

Description: Duo Authentication Security - Build package.

Tags: duo


23) Tool: duoauthproxy-build

Description: Duo Authentication Security - Build package, made for Ubuntu.

Tags: duo


24) Tool: ephemeral cert

Description: A Golang package to generate self-signed TLS certificates and return tls.Certificate object with a default common name to “localhost”.

Tags: tls, certificate, golang


25) Tool: fluxo

Description: A tool to fetch data from an Amazon service that seems to be for threat intelligence, and stores it on Jira and Dynamodb.

Tags: cti, ti, threat-intel, amazon, jira, aws, dynamo


26) Tool: go-audit

Description: Clone of the public go-audit repository.

Tags: golang, miscs


27) Tool: go-audit-build

Description: Build package for go-audit.

Tags: miscs


28) Tool: go-sirtbot

Description: A Slack bot written in Golang - seems incomplete.

Tags: golang, slack, automation


29) Tool: go-squid-duoauth

Description: Squid Go Authentication Helper. Deprecated project.

Tags: golang, duo-security, squid


30) Tool: go-ykpiv

Description: An internal fork of go-ykpiv. go-ykpiv is a Golang interface to manage Yubikeys, including a crypto.Signer & crypto.Decrypter interface.

The changes related to this package are within the build process.

Tags: golang, yubi-keys, crypto


31) Tool: golang-x-crypto

Description: A clone of Golang crypto libraries.

Tags: golang, crypto


32) Tool: gophish-config

Description: Minimal configurations for GoPhish server.

Tags: golang, gophish, config


33) Tool: gravitational-teleport

Description: Clone for Gravitational Teleport, Certificate authority and access plane for SSH, Kubernetes, web applications, and databases.

Tags: golang, kubernetes, teleport, rbac


34) Tool: gsuite-hourly

Description: A script that pulls logs from Google Gsuite every hour, and store it into AWS S3.

Tags: gsuite, s3, logging


35) Tool: homebrew

Description: a Homebrew repository that hosts macOS software distributed by the security team.

Tags: macos, homebrew


36) Tool: hunts

Description: Threat Hunting playbooks. It consists of write-ups of running threat hunt activities for AWS, Duo Implementation, Command and Control activities, reverse TCP tunneling, and general suspicious activities.

Tags: threat-hunting, cti, aws, duo


37) Tool: Inquisitor

Description: A well-architectured secrets discovery tool that can identify secrets within JIRA tickets and Git commits. It also has an integration with alerting via modules, including standard screen logging, email alerting, and creating a ticket on Jira.

Tags: appsec, secret-detection, jira, git, automation


38) Tool: jupyterhub

Description: Shared notebook environment for SIRT.

Tags: jupyter, notebook


39) Tool: lambda-amazonsg

Description: Lambda function to manage security groups within AWS.

Tags: aws, lambda, security-groups


40) Tool: lambda-athenalert

Description: An AWS Lambda function that can automatically run an Athena query and raise an alert if there are any results. It is most useful when run on a cron via CloudWatch events.

Tags: aws, athena, cloudwatch, lambda


41) Tool: lambda-autocert

Description: A lambda function that automates the process of renewing TLS certificates from Let’s Encrypt using Route 53 and the ACME dns-01 challenge.

Tags: aws, lets-encrypt, lambda, tls


42) Tool: lambda-autosg

Description: An AWS Lambda function that can allow for dynamic security group egress rules based on DNS hostnames. It is most useful when invoked as a con job at regular intervals (e.g. 1 minute) to update rules when a DNS record changes.

Tags: aws, lambda, automation, dns


43) Tool: lambda-dogfish-sg

Description: An AWS Lambda function that consumes IP prefix information from Amazon Dogfish and writes them to a specified AWS security group.

Amazon Dogfish seems to be an internal Amazon service.

Tags: aws, lambda, dns, security-groups


44) Tool: lambda-teleportmon

Description: An internal service called “lambda-teleportmon”. It’s unclear on what the purpose of the service is.

Tags: aws, lambda


45) Tool: maxmind-backup

Description: An AWS Lambda function that downloads the latest release of the Maxmind DB, and stores it in S3.

Tags: aws, s3, lambda, maxmind


46) Tool: nabu

Description: Twitch Security internal security scanner. It seems to be a work-in-progress and has not been completed. It’s also unclear what it will cover or detect.

Tags: appsec, security-scanning


47) Tool: naive

Description: A repository for collecting Regular expressions that can be useful in different scenarios. The repository seems empty.

Tags: appsec, regex


48) Tool: netscrape

Description: A repository that hosts Cloudformation config. It’s described as a place to hold source code and other assets for the Netscrape campaign.

Tags: cloudformation


49) Tool: nice

Description: Nice is a suite of security-oriented static analysis tools for Go. It uses go/analysis framework to run static code analysis on Golang code.

Tags: golang, sast


50) Tool: notebook-template

Description: Notebook template for threat hunting

Tags: cti, threat-hunting


51) Tool: notebooks

Description: Another repository of notebooks for threat hunting. It covers machine-level checks, including device encryption, and checks for unmanaged devices.

Tags: cti, threat-hunting


52) Tool: nuget-security

Description: NuGet Package provided by Twitch Application Security.

Uses external project https://github.com/security-code-scan/security-code-scan) and the security rules of https://github.com/dotnet/roslyn-analyzers.

This is a C# and VB.NET static code analyzer that allows the detection of security vulnerabilities, including SQLI, RCE, XSS, etc. It also supports running within the CI pipeline and does its scanning through taint analysis for input data.

Tags: ci, vb.net, c-sharp, static-code-analysis


53) Tool: odds-n-ends

Description: A general repository for Security snippets. It includes one script that pulls SalesForce event logs and dumps logs into S3.

Tags: salesforce, automation, s3


54) Tool: opentoken

Description: This is a Go library that can encrypt and decrypt OpenTokens.

It is based on this RFC: https://tools.ietf.org/html/draft-smith-opentoken-02

OpenToken used to be a popular protocol for transmitting secure tokens.

Tags: opentoken, open-token, auth, golang


55) Tool: organizations-guardduty

Description: A Python script that enables AWS Guardduty, and sends logs into S3, so it can be easily monitored. By default, it’s not a straightforward process to configure this correctly, this script helps automate the majority of steps from enabling the operationalizing of logging for Guarduty.

Tags: aws, guardduty, s3, continuous-monitoring, alerting


56) Tool: osiris

Description: Osiris is a library for building and deploying serverless web apps on Amazon Web Services, with a focus on simplicity and ease of use. It provides a simple way to build the application and tools to deploy it to AWS.

An application built with Osiris is deployed to AWS as a Lambda function and an API Gateway API. Configuration is generated for CloudFormation to define the application resources.

This repository includes configurations for app deployments within Twitch Security.

Tags: osiris, aws


57) Tool: osiris-admin

Description: A bash script to automate the management of osiris.

Tags: osiris, automation


58) Tool: osiris-app

Description: A deployment configuration for osiris.

Tags: osiris, automation


59) Tool: osiris-config

Description: Configuration for deploying Osiris through AWS CloudFormation.

Tags: osiris, automation, cloudformation


60) Tool: osiris-debs3-proxy

Description: Empty repository.

Tags: osiris


61) Tool: osiris-health

Description: Osiris health check script.

Tags: osiris


62) Tool: osiris-pki-server

Description: Internal PKI server that covers Duo Security, and YubiKey

Tags: osiris, duo-security, yubi-key


63) Tool: osiris-registration

Description: This is a Lambda function that automates the registration process for a new Osiris stack instance. It primarily manages the DNS delegation process, subject to the requisite authorization checks (which are stored in a DynamoDB table).

Tags: osiris, aws, lambda


64) Tool: osiris-selfservice

Description: Empty repository.

Tags: osiris


65) Tool: osiris-static-site

Description: CloudFormation template to deploy static sites through Osiris.

Tags: osiris


66) Tool: osiris-update-stack

Description: Lambda function for scheduled updates of the Osiris CloudFormation stack.

Tags: osiris


67) Tool: osiris-v2

Description: A deprecated repository.

Tags: osiris


68) Tool: osiris-yubikey-client

Description: This is the client for the osiris-pki-server, with a focus on issuance of certificates for Yubikeys.

Tags: osiris, yubi-key


69) Tool: ovpnmetrics

Description: This python script scrapes metrics from OpenVPN Access Server (using the local SQLite log database) and writes them to graphite.

Tags: openvpn, graphite


70) Tool: pandora-mvp

Description: An internal project that uses SSM, S3, and EC2 APIs.

Tags: aws, s3, ec2, ssm


71) Tool: pandora-prototype

Description: Testing repository with CloudFormation configuration.

Tags: cloudformation


72) Tool: password-exploration

Description: An experiment that hosts passwords from 000webhoost, antipublic_combo, exploit.in database leaks. It uses AWS Athena and S3 to store datasets. The playbook shows queries to search compromised accounts that were leaked by Twitch employees.

Tags: database-leaks, passwords, aws, athena


73) Tool: rpm-s3

Description: A Clone of https://github.com/crohr/rpm-s3 that is made to work with the newer Python boto3 library.

Tags: rpm, aws, s3


74) Tool: secretsurfer

Description: A secret detection tool that scans for secrets in Git commit history, and reports whenever it finds a secret. It has the capability to validate specific findings for AWS credentials, Slack webhooks, and Twitch 0Auth tokens.

It seems that Twitch has put major efforts into having multiple tools for preventing secrets at scale. This is not the only tool that does secrets detection that was internally developed by Twitch.

Tags: secret-detection


75) Tool: securitycenter-jira

Description: This repository contains Twitch v1.0.0 of the Tenable SecurityCenter-JIRA integration originally written by Tenable Network Security.

The official release by Tenable was v1.1.1, which has been archived and is available in the security/securitycenter-jira-archive repository for historical knowledge.

The project ingests findings from Tenable, and stores it into JIRA tickets for tracking vulnerabilities.

Tags: jira, tenable, security-scanning


76) Tool: securitycenter-jira-archive

Description: An archive of securitycenter-jira.

Tags: jira, tenable, security-scanning


77) Tool: shuffle

Description: Shuffle is a small piece of automation that can make OpenVPN ACL changes. It is useful when a service’s IP addresses change.

It is made of two components:

The Lambda function triggers the applier script via Amazon Systems Manager.

Tags: aws, lambda, openvpn


78) Tool: sift-aws

Description: SIFT AMI for Twitch SIRT. This is a collection of Ansible playbooks that builds and provisions a SIFT workstation.

The SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings.

Tags: sift, forensics, ansible


79) Tool: sirt_alerts

Description: A Git repository of SIRT alerts and playbooks. It seems to be categorized according to the MITRE ATT&CK framework. It also covers playbooks for several TTPs on macOS, Windows and AWS.

Tags: mitre, att&ck, ttps, macos, windows, aws, incident-response


80) Tool: sirt_alerts_archive

Description: A Git repository that seems to be an archive of sirt_alerts. It covers a large number of playbooks and incidents detection write-ups.

Tags: mitre, att&ck, ttps, macos, windows, aws, incident-response


81) Tool: sirt_lookup_tables

Description: Several CSV files that acts as a lookup table. It includes files for: TOR exit nodes, URLHAUS malicious urls, Pacu User-Agents, malicious Chrome extensions, and low-reputation IPs.

This seems to be used in threat detection.

Tags: threat-detection, cti, tor, urlhaus


82) Tool: sirt_range_dev

Description: Empty repository.

Tags: empty


83) Tool: sirt-520

Description: sirt-520 contains a single HTML/JavaScript file with no details. Reading the code, it seems to be a malware piece that acts as wormable payloads for pulling contacts from Google Contacts and then sending malware emails. The TTP used here is novel. The URL that is being sent to contacts is an authorization page for Google apps, where the app is authorized to get emails and contacts.

The concept bypasses Google Safe url checks as the url being shared in the email points to https://accounts.google.com.

Tags: phishing, TTP, google-apps, gsuite, exploit


84) Tool: sirt-detection-ec2-instances

Description: This repository contains provisioning scripts that initialize Windows and macOS machines and install detection agents. The detection agents used in the scripts are: CrowdStrike Falcon and Uptycs.

It uses Terraform to deploy the machine, Bash for macOS machines, and Powershell for Windows machines.

Tags: crowdstrike, uptycs, aws, terraform, ec2


85) Tool: sirt-dns_report

Description: This script is made for continuous monitoring purposes of the DNS infrastructure of Twitch. Twitch has a service called “changelog” that contains the DNS records of Twitch, and can be called through a REST API.

The script pulls all the changelog, and sends an alert for changes to Twitch security email that automatically creates a JIRA ticket based on the email.

Tags: jira, email, smtp, dns, infrasec


86) Tool: sirt-gophish

Description: Re-deployable gophish infra for SIRT to run phishing exercises. It also includes Terraform code for deploying gophish with all the required configuration.

Tags: gophish, phishing, golang, terraform


87) Tool: sirt-jira-issue-escalator

Description: A Lambda function that pulls data from JIRA through a JQL query that fetches tickets not marked as “Done”, and then pushes metrics to CloudWatch.

Tags: cloudwatch, jira


88) Tool: SIRT-JiraBot

Description: JiraBot is modeled after Dropbox’s SecurityBot https://github.com/dropbox/securitybot.

It includes JQL queries, interactive messages for Slack.

The purpose of the tool is to allow interaction with security projects on JIRA. It runs on AWS Lambda.

Tags: jira, securitybot, slack, aws, lambda


89) Tool: sirt-jirahandler

Description: An incomplete project. It manages Jira tickets through the Jira Python library.

Tags: jira


90) Tool: sirt-misp-cdk

Description: CloudFormation port of a MISP deployment in Pulumi. A work-in-progress project.

Tags: pulumi, cloudformation


91) Tool: sirt-pulumi

Description: A customized version of https://github.com/MISP/misp-docker.

Tags: misp, docker, pulumi


92) Tool: sirt-report

Description: A script that pulls open incidents from JIRA and sends it as an email to Twitch security team as a report.

Tags: jira, incident-response, reporting


93) Tool: sirtbot

Description: A Slack bot that is based off a fork of https://github.com/lins05/slackbot.

Tags: slack


94) Tool: SIRTGuardDutyRole-cloudformation

Description: A cloudformation config to enable Twitch SIRT to access GuardDuty in the target account.

Tags: aws, guardduty, cloudformation


95) Tool: sirtjira

Description: Another library to interact with Jira. It has the capability to create issues, manage issues, add comments, and other similar features.

Tags: jira


96) Tool: sirtlib

Description: An automation Python library to interact with Splunk, Uptycs, Amazon Anamoli (Internal Amazon Security service), and Salesforce IDM.

Tags: python, splunk, amazon, salesforce, uptycs


97) Tool: slaughter_bot

Description: An automation bot that can send emails, pull open risks and incidents from Jira, and put them into Spreadsheet.

Tags: spreadsheet, jira, email


98) Tool: sonarvet

Description: A report parser for SonarQube written in Golang.

Tags: sonarqube


99) Tool: spark_from_athena_uptycs

Description: A script to generate queries for AWS Spark and AWS Glue. It seems to use AWS Athena and Uptycs for the queries.

Tags: aws, athena, aws-athena, aws-spark, aws-glue, uptycs


100) Tool: splunk-hec-go

Description: Splunk HEC Golang Library. It’s a forked version of https://github.com/fuyufjh/splunk-hec-go.

Tags: splunk


101) Tool: splunk-saved-searches

Description: Repository to manage the configuration for saved searches/alerting in Splunk to be integrated with an automated deployment lambda function.

Tags: splunk, incident-response


102) Tool: squidmetrics

Description: Squid statsd publisher. This python script scrapes metrics from Squid (using the local manager interface) and writes them to statsd/statsite.

Tags: squid, metrics


103) Tool: ssm-logging-enrollment

Description: ssm-logging-enrollment. A simple script to enable CloudWatch logging for SSM session manager.

Tags: aws, cloudwatch, ssm, session-manager, logging


104) Tool: subdomain_checker

Description: Subdomain Takeover Checker. Check if a list of sites is vulnerable to an S3 Bucket or Cloudfront CNAME Hijack.

It has a feature to automatically claim vulnerable CloudFront and AWS S3 buckets that are not publicly claimed.

Tags: aws, subdomain-takeover, s3, cloudfront


105) Tool: tails

Description: Empty repository.

Tags: empty


106) Tool: takeover_check

Description: SIRT Takeover DNS Checker. Sweeps across domains to find subdomain takeover vulnerabilities.

It checks for AWS Beanstalk, CloudFront, S3, and signs of misconfiguration.

Tags: aws, cloudfront, s3, subdomain-takeover


107) Tool: teleport

Description: Teleport configuration repository.

Tags: teleport


108) Tool: teleport-configuration

Description: Teleport Configuration. This repository contains configuration files in YAML format for Teleport.

Tags: teleport


109) Tool: teleport-dashboard

Description: Teleport dashboard.

Tags: teleport


110) Tool: teleport-dns-guardian

Description: Teleport DNS Guardian. A small Python utility intended to be run as an AWS Lambda function. It can be used as part of a DNS round robin load balancing setup to keep the list of IPs in the DNS record updated based on Consul. It’s best to run once per minute.

Tags: teleport


111) Tool: teleport-enterprise-build

Description: Teleport Enterprise package builder.

Tags: teleport


112) Tool: teleport-remote

Description: This includes the components to build and manage remote Teleport clusters.

Tags: teleport


113) Tool: teleport-util

Description: This contains utilities used for managing or automating the Teleport deployment at Twitch.

Tags: teleport


114) Tool: terraform

Description: Security-related Terraform configuration.

Tags: terraform


115) Tool: tf-asg

Description: A Terraform module to create and manage autoscalling group.

Tags: terraform


116) Tool: tf-lambda-dogfish-sg

Description: Terraform module to manage “dogfish” project.

Tags: terraform


117) Tool: tf-teleport

Description: Terraform module for setting up teleport.

Tags: terraform


118) Tool: tf-teleport-auth-lb

Description: Terraform module that creates a network loadbalancer for Teleport auth service.

Tags: terraform


119) Tool: tf-teleport-dns-guardian

Description: Terraform module for setting up a lambda function to manage Teleport’s DNS round robin records.

Tags: terraform


120) Tool: threat-modeling

Description: A repository that hosts a threat-modeling diagram built with PlantUML about a portion of Twitch threat-model.

Tags: threat-modeling


121) Tool: tshproxy

Description: This is a shim meant to wrap tsh and ssh for use in a ProxyCommand. It primarily exists to automatically install or renew an SSH certificate if it is expired or doesn’t exist.

Tags: ssh, proxy


122) Tool: twitch-bastion-util

Description: This script will automate the client-side configuration steps process for the Twitch Bastion (an internal service). Specifically, it will install the Teleport client software and configure the ssh client to access production via a bastion host.

Tags: teleport


123) Tool: twitch-glitch-bot

Description: Slack bot that interacts with Jira, Slack and PagerDuty.

Tags: pagerduty, slack, jira


124) Tool: twitch-public-s3-bucket

Description: A CloudFormation template that provisions an internal S3 bucket.

Tags: s3, aws, cloudformation


125) Tool: TwitchyOmega

Description: A forked version of https://github.com/FelisCatus/SwitchyOmega.

Tags: proxy, SwitchyOmega, chrome, chrome-extension


126) Tool: UbuntuVulnData

Description: A report parser tool that contextualizes vulnerability reports on Ubuntu AMIs that are not enriched with additional vulnerability details.

Tags: vulnerability-management


127) Tool: vacation-calendar

Description: A Google Suite App that syncs team calendar when a member takes a vacation.

Tags: google-suite, gsuite, automation, productivity


128) Tool: wireguard-gateway

Description: Wireguard gateway: a framework to setup a full Wireguard infrastructure on AWS.

Tags: wireguard


129) Tool: yeti-infra

Description: An incomplete project. It’s a Terraform module for deploying YETI project for threat-intelligence.

Tags: terraform, threat-intelligence



Final Thoughts

Twitch Security invested thousands of hours in building its security tools and security program. I consider the tools developed internally to be advanced, well-thought and has done with excellent use-cases. At the time of writing the blog post, Twitch has not released a postmortem yet about the Twitch breach, how it happened, and technical details about the breach.

Although the leaked security data covers the tools, it doesn’t cover the security architecture and the security program details. It’s hard to come up with a definite conclusion of how the breach could have happened.

I can see that there is less focus on the tools for Identity Management and Access Control. Also, I can not see tools or references for the Security automation of SAST to scan the CI pipeline. Assets Discovery is done well, but I can not see AWS-related checks for AWS Policies and Role-Based access validation.

The continuous security scanning from an AppSec perspective seems limited from seeing the developed tools. It’s possible that Twitch is running COTS tools instead of building their tools internally, but this also is not clear, as I haven’t seen ingestion for commercial DAST tools.

The Twitch breach acts as a reality check on organizations and companies that are building their security program. The possibility of a breach is always there, organizations can take the next step and work in “assume-breach” playbooks and build additional security controls for their security program.

About FullHunt.io

FullHunt is the Next-Generation Attack Surface Management Platform. FullHunt enables companies to discover all of their attack surfaces, monitor them for exposure, and continuously scan them for the latest security vulnerabilities and risks. We help companies around the world in securing their external attack surface using our technologies that are scanning millions of Internet-connected assets and cloud resources.

Are you an enterprise that is looking to build security for their External Attack Surface? Please reach out to us at fullhunt.io, and we will be happy to solve your challenges.

References

  1. https://www.bbc.com/news/technology-58817658
  2. https://www.theverge.com/2021/10/6/22712365/twitch-data-leak-breach-security-confirmation-comments
  3. https://www.nytimes.com/2021/10/06/technology/twitch-data-breach.html
Mazin Ahmed

Mazin Ahmed

Thoughts of a hacker

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora