By Anthony Troiano
As of 2016, 2.5 billion people around the world played video games. The estimated value of the industry in 2020 is now $159.3 billion. And the industry is only growing more and more. To anyone in the field of Computing Security, this begs the question: how does security look? Recently, Akamai reported that between June of 2018 and 2020, both gamers and the industry fell victim to 10 billion cyberattacks.
I took it upon myself to find a big company in the industry and to try getting some perspective from them. I ended up picking Riot Games for this. They are an American video game developer and publisher most known for their game League of Legends, which currently has an estimated 115 million players. What ultimately made me want to hear from them was the fact that they have several games published, some of which running across multiple platforms, with even more games set to release soon. From a security perspective, seeing how a company deals with all that just fascinated me.
I was fortunate to have been able to get into contact with someone on the security team over at Riot. My goal was to learn more about how security fits into the overall mindset of a company set out to produce games for people to enjoy. As you will see from the questions and answers, it plays a bigger role behind the scenes than one would think.
Questions and Answers
- Can you please tell me a bit about yourself? For instance, what’s your background? What do you currently do at Riot Games?
Answer: I’m Tom Sommerfield, a Security Engineer with the Riot Games Security Operations team. My primary responsibilities are identifying and investigating malicious activity on Riot’s corporate and player facing networks. I’ve been doing this type of work for about 12 years for Riot Games, Electronic Arts, and Lockheed Martin. Prior to working in security, I was a systems administrator at Lockheed Martin, and prior to that served in the Army doing unrelated work. I have a BS in computer science and a few security certifications (GCFA, GREM, GPEN).
- What’s a typical day look like for you?
Answer: There’s always some work responding to alerts that have been generated by any of our detection systems, creating or tuning the rules that generate those alerts, researching new/emerging threats, and collaborating with other security teams across the industry on the above.
Some of the detections (IE: EDR rules, IDS/IPS signatures) that we’ve created are the output of previous investigations and are considered “high fidelity,” meaning we know they relate directly to malicious activity. Other detections are derived from intelligence shared by a 3rd party or from a black box security tool that we may not have insight into. Those are considered “low fidelity” because they may not be directly applicable to our environment. This distinction helps triage response to alerts – a high fidelity alert means the on-call person should be paged for immediate investigation, whereas a low fidelity alert can probably wait until the morning.
When not working on the detection & response side of the house, we’re typically building or tuning new capabilities. As an example, right now we’re evaluating a new SIEM that includes a machine learning framework designed to help identify anomalous activity in our security logs. There’s engineering work that goes into normalizing the log sources, training the models, and reviewing the output.
- What’s the structure look like for the security teams at Riot Games? Does each team oversee security for all the games or is it divided into even smaller teams?
Answer: InfoSec is organized in 7 functional areas:
- Rioter Security: identity & access management, endpoint and network security stack
- Anti-cheat: ensuring competitive integrity within the games
- Security Operations: detection & response, forensics, threat intelligence
- Data Privacy: player / Rioter data protection, regulatory compliance
- Risk & Review: governance, vulnerability management
- Application Security: secure code, bug bounties
- Platform Security: player facing infrastructure
Each team contributes to security across all of Riot’s games and networks in their respective areas. Additionally, there are Security Points-Of-Contact that own the relationship between InfoSec and the various business areas. For example, my team lead is the VALORANT POC. He acts as a liaison; connecting VALORANT with any InfoSec resources they may need.
- Does security play a part in the development process for Riot Games when they produce new products? If so, to what degree? If not, do you think it should? For example, Legends of Runeterra allows rich text for deck names on the client side. Did its inclusion raise security concerns?
Answer: Yes, InfoSec is involved in the development of all products, including games. All of our products go through various “gates” that measure their maturity before ever being released into production. Built into that process are a number of security reviews.
I can’t speak directly to the LOR rich text issue you mentioned, but our Application Security team does extensive code reviews, including input validation tests, for all our products.
We also run penetration tests against the infrastructure that hosts the products, and use a bug bounty program to encourage 3rd party researchers to report vulnerabilities to us. We take this so seriously that we offer up to $100,000 for vulnerabilities related to our anti-cheat system.
- Do you closely monitor security news for gaming or in general? And do they impact projects/goals for security at Riot Games?
Answer: Yes, and yes.
There’s a well–documented history of a cybercriminal group named APT41 (aka BARIUM, WINNTI, WICKED SPIDER) that targets, among others, the gaming industry. Just last month, the DOJ indicted several members of this group.
While we don’t want to become fixated on a single threat actor, understanding their tactics, techniques and procedures means we’ll be more likely to detect their attacks against us. Closely monitoring news related to APT41 allows us to feed the detection and response process and produce higher fidelity rules/alerts, as mentioned above.
Projects are absolutely influenced by security news. When APT41 was linked to the ASUS compromise last year, we spun up a project to determine if we were running any of the affected ASUS software. In that situation (a threat group known to target gaming had the ability to compromise systems via 3rd party legitimate software updates) we were both interested in the specifics of that attack, and the more general techniques employed. That gave us a project with two different angles to attack the problem from.
- Being a part of the gaming industry, I’d imagine a lot of people are tech savvy. But in general, how security aware is everyone? Do non-security coworkers have to go through any training?
Answer: All employees attend security awareness training and we have multiple channels for folks to report security concerns to us. I think the integration of InfoSec with the products (game teams, engineering, infrastructure, etc.) means that everyone in the company has at least occasional interactions with us, helping improve security awareness. Our CISO has also given companywide briefs on security topics.
- What would you say is the biggest threat to security right now and why?
Answer: My opinion is that supply chain attacks present the biggest threat to any org right now, regardless of industry. This includes everything from abuse of open source frameworks to weaponized software updaters (ASUS, discussed above).
These types of attacks exploit existing trust relationships as much as technical vulnerabilities, which can be very difficult to detect and remediate.
- Is Riot Games currently looking to expand its security teams? If so, can you tell me what specifically? What sort of skillsets are you looking for?
Answer: Yes, we’re always looking for engineers to join our InfoSec teams. All of the focus areas I mentioned above are in demand:
- Application security engineers who understand the SDLC
- Incident response engineers with malware reversing or digital forensic experience
- Lawyers with an IP background who can join our privacy team
There’s quite a bit of overlap in the skills each team needs as well. The Anti-Cheat team often needs to reverse engineer cheat binaries to better understand how they work and write signatures. That’s virtually identical to a Security Operations engineer reversing malware to create a rule in our EDR to detect it.
You can see our current openings here.
I just want to thank Tom Sommerfield for taking time out of his incredibly busy schedule to answer these questions. He provided thoughtful insight that sheds light on how security fits into the gaming industry. Security is a matter that is taken extremely seriously and is a core component of their product design process. Different responsibilities are delegated between various teams that oversee all their games. As someone who plays some of their games, I feel safer now after this interview. I wonder how security in other gaming companies compare. I strongly urge anyone else interested in this to both investigate the different links Tom provided and Riot’s bug bounty program. If you want to read up on more security involving Riot, check out the links below.