Heroku Abuse Operations: Hunting Wolves in Sheep's Clothing

The presentation discusses abuse operations and how they hunt for abuse on the Heroku platform. The focus is on defending the common run time from abusive bad actors who try to monetize free services. The team has identified several puzzle pieces of abuse that have been underreported.

• Abuse operations is the detection and response to malicious activity in the wider picture of misuse, abuse, malice, and crime.
• Heroku is a platform as a service that offers an easy interface to quickly go from idea to online application without having to manage and configure the underlying infrastructure.
• The team defines abuse as the unintended monetization of anything, and they focus on defending the common run time from abusive bad actors who try to monetize free services.
• The team has identified several puzzle pieces of abuse that have been underreported.
• The team has identified three guiding philosophies for their team: relentless incrementalism, non-repetition, and hyper-automation.
• Knowing the business you are serving is important to help remove some of their pain points caused by abuse.
• The team's collaboration provides a channel to let the right people know about the gaps in business logic, resulting in a platform that's too much trouble to abuse by the bad actors.
• The presentation ends with a call to action to think about how free services or any service that a company offers can be abused and what can be done about it.

The presentation uses Heroku as an example of a platform that runs anyone's code on the internet as directed from unknown sources millions of times a day. The team focuses on defending the common run time from abusive bad actors who try to monetize free services. They define abuse as the unintended monetization of anything, and they have identified several puzzle pieces of abuse that have been underreported. The team's collaboration provides a channel to let the right people know about the gaps in business logic, resulting in a platform that's too much trouble to abuse by the bad actors.

Black Hat attendees 'get' security - but strategically speaking, where does abuse management fit?Abuse Operations - at its core - is detection of and response to malicious activity when everything is working "as designed." Classical security is interested in prevention, governance, and compliance, while abuse operations looks at the wider picture of misuse, abuse, malice and crime. At any moment in time, multiple actors are bypassing detection and response systems masquerading as customers in order to take unfair advantage of your systems and services. Different from the full compromise scenarios we know and love, abuse is a slow simmering burn, where our customers can become a problem, and worse, your problem. Attendees in this session will get an insider's view into active abuse on one of the largest pure-play, remote-code-execution-as-as service (RCE-aaS) platforms on the Internet: Heroku.Allan and Spencer walk through the cat-and-mouse hunt for ever-evolving miscreant behavior hidden in the sea of legitimate users, build mechanisms to turn low value indicators into high value decisions, and show the value of "pushing left" to make the platform less hospitable for abuse.For attendees dealing with abuse - this session will start conversations on how we engage abuse at scale - and the scaffolding you can apply on Monday when you get back to work.