crytek csirt cert-ee symposium 2016

Threats in video game industry

Dmitry Korzhevin – Crytek CSIRT

COMPANY OVERVIEW

Crytek Games

CRYENGINE® is Crytek’s key differentiator for success

World leading game development software for sophisticated computer and video games

Highest graphics quality and unique Realtime-3D-Technology

Innovation leadership as a result of 15 years of development know-how

Licensed by numerous third-party game developers and publishers

Sole integrated all-in-one solution for games on platforms of the current and future generation:

CRYENGINE

CRYENGINE

Crytek STUDIOS and CSIRT constituency

FRANKFURT HQ

BUDAPEST ISTANBUL KIEV

SEOUL SHANGHAI SOFIA

WARFACE in Numbers

● 36 200 000 registered users

More, than population in Canada

WARFACE in Numbers

● 2 557 557 334 340 warbucks gained

More, than United Arab Emirates GDP

for 4 years

WARFACE in Numbers

● 3 758 496 797 reanimation by medics

More than half the world's population

WARFACE in Numbers

● 273 509 398 237 shots

That's enough for the continuous

shooting from M137 minigun for 32

years

WARFACE in Numbers

● 3 044 154 697 coop-climbs

performed

Players have raised 48 Cheops

pyramids

WARFACE in Numbers

Threats

● Aimed at Users

● Aimed at Servers and Services

● Aimed at Network and Infrastructure

Threats categories

Threats aimed at Users

Cheats

Countermeasure: Anti-Cheat Systems

Threats aimed at Users – Cheats

Anti-Cheat Systems:

User (Client) Side

Server Side

Hybrid


FairFight

Starforce

EasyAntiCheat

Custom


Social engineering

Forums

In game messaging

Chats

Threats aimed at Users – Social Engineering

User awareness

Info banners

Informational e-mails

StaySafeOnline (NCSA)

Threats aimed at Users – Social Engineering

Phishing attacks

● User awareness

● Info banners

● Informational e-mails

● Cooperation with Law Enforcements

Phishing Attacks

Password-Based Attacks

Bruteforce, dictionary, hybrid

Websites

User accounts

API / single sign on


User awareness

Strict password policies

Detection on API / Server level

Threshold on API level


Browser attacks (Web)

XSS (both reflected and stored)

CORS Violation

Links Manipulation


Browser update reminders

Active Penetration tests

Code Review

Automated code security review


Rootkits and web-shells

Forums

Avatars


Linux Malware Detect for all uploads

Notification


Threats aimed at Servers and Services

SSL attacks

NGINX

Up-To date versions

Web server tuning (A+ Certs)

Customized NGINX configuration

Own repos with signed packages

SSL attacks

SSL attacks

Unpatched software

Automated checks and notification

Critical security updates auto install

RSS subscriptions for team

E-mail subscriptions for team

Unpatched software

Denial of service

N+1

DC Anti-DDOS

WAF ModSecurity (Atomicorp)

Host firewalls (Netfilter)

CDN Protection

Non-standard ports

TCP/UDP Knock-In

Denial of service

Attacks on custom services

Honeypots

Rsyslog

Logs distribution (DC, Studios)

Encrypted relay chains (TLS-protected)

NTP – OpenNTPD (N+1)

Monitoring (N+1)

Attacks on custom services

Configuration mistakes

Least privileges

PXE + Foreman

Puppet

Ansible

Git and Gitlab

Configuration mistakes

CIA Triad Compliance

Confidentiality - only authorized access to data.

Integrity - data has not been improperly altered.

Availability - data and services are always available.


Center for Internet Security Benchmarks (CIS)

Defense Information Systems Agency (DISA) STIGs

ISO 27002/17799 Security Standards

National Institute of Standards (NIST) guidelines

National Security Agency (NSA) guidelines

Payment Card Industry Data Security Standards

Site Data Protection (SDP)


Nessus

Lynis


OS and Services integrity

HIDS

Samhain

OS and Services integrity

Use static binary not linked to shared libraries

Strip the binary

GPG signed configuration and baseline database

Own HIDS built-in SMTP

Stealth mode of operation (config hidden in image)

Disable command line parsing without magic word

Rename every installed file to custom name

Pack and encrypt executable

HIDS Additional options

Threats aimed at Network

Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow

Vulnerability

More than 19 Critical vulnerabilities in last 5 years

Ipsec attacks

DoS

Code execution

Overflow

Bypass

Gain information (Disclosure)

Ipsec attacks

Latest firmware for HW firewalls (NGFW)

StrongSwan IPSec

Auth logs to RADIUS

Least Privileges

DMZ and separate segments

Different security levels

Ipsec attacks

IPsec IKEv2 EAP-TLS with authentication based on

X.509 certificates, elliptic curve DH groups and

ECDSA with built-in integrity and crypto tests for

plugins and libraries.

PacketFence network access control (NAC)

Ipsec attacks

Network Planning

Security Policy

Levels of acceptable risks (Risk Management)

Network Segmentation and VLANs

Network Planning

Defense in depth

SSH with RSA auth keys only

Tokens (Yubikey)

FreeIPA

Defense in depth

We are open!

Welcome to the Crytek Kiev Studio

QUESTIONS?Dmitry Korzhevin

Head of Crytek CSIRT

[email protected]