{"id":4311,"date":"2024-07-02T19:21:01","date_gmt":"2024-07-03T00:21:01","guid":{"rendered":"https:\/\/www.darkreading.com\/cybersecurity-operations\/three-ways-to-chill-attacks-on-snowflake"},"modified":"2024-07-02T19:21:01","modified_gmt":"2024-07-03T00:21:01","slug":"3-ways-to-chill-attacks-on-snowflake","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/07\/02\/3-ways-to-chill-attacks-on-snowflake\/","title":{"rendered":"3 Ways to Chill Attacks on Snowflake"},"content":{"rendered":"
<\/a><\/div>\n

More than a month after a spate of data theft of Snowflake environments, the full scope of the incident has become more clear: at least 165 likely victims, more than 500 stolen credentials, and suspicious activity connected to known malware from nearly 300 IP addresses.<\/span><\/p>\n

In June, the cloud data service provider washed its hands of the incident, pointing to the cybersecurity investigation report published by its incident response providers Google Mandiant and CrowdStrike, which <\/span>found that 165 Snowflake customers<\/a><\/span> had potentially been impacted by credentials stolen through information-stealing malware. In a June 2 update, Snowflake confirmed that it found no evidence that a vulnerability, misconfiguration, breach, or stolen employee credential had led to the data leaks.<\/span><\/p>\n

“[E]very incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials,” Google Mandiant stated.<\/span><\/p>\n

Snowflake urged its customers to ensure multifactor authentication (MFA) is running on all accounts; to create network policy rules that limit IP addresses to known, trusted locations; and to reset Snowflake credentials.<\/span><\/p>\n

Those measures, however, <\/span>are not enough<\/a><\/span>, say experts. Companies need to be aware of how their SaaS resources are being used and not rely on users choosing security over convenience.<\/span><\/p>\n

“If you build a system that relies on humans never failing, then you’ve built a really bad system,” says Glenn Chisholm, co-founder and chief product officer at SaaS security provider Obsidian Security. “Good engineers design systems that expect human failure.”<\/span><\/p>\n

Here are some additional defenses that security teams should consider to detect security failures in their Snowflake and other SaaS cloud services.<\/span><\/p>\n

1. Collect Data on Accounts and Regularly Analyze It<\/h2>\n

Security teams first need to understand their SaaS environment and monitor that environment for changes. In the case of Snowflake, the Snowsight web client can be used to collect data on user accounts and other entities \u2014 such as applications and roles \u2014 as well as information the privileges granted to those entities.<\/span><\/p>\n

The picture that develops can quickly grow complex. Snowflake, for example, has five different administrative roles that customers can provision, according to SpecterOps, which <\/span>analyzed potential attack paths in Snowflake<\/a><\/span>.<\/span><\/p>\n

\"Snowflake<\/p>\n

The Snowflake access graph can become complex very quickly. Source: SpecterOps<\/p>\n<\/div>\n

And, because companies tend to overprovision roles, an attacker can gain capabilities through nonadministrative roles, says SpecterOps chief strategist Jared Atkinson.<\/span><\/p>\n

“Administrators tend to more easily grant access to resources, or they grant slightly more access than the user needs \u2014 think admin access instead of write access,” he says. “This might not be a huge problem for one user with one resource, but over time, as the business grows, it can become a massive liability.”<\/span><\/p>\n

Querying for <\/span>users who have a password set<\/a><\/span> \u2014 as opposed to the password value set to False, which prevents password-based authentication \u2014 and looking at login history for which authentication factors have been used are possible ways to detect suspicious or risky user accounts.<\/span><\/p>\n

2. Provision Users Accounts Through an ID Provider<\/h2>\n

With modern business infrastructure increasingly based in the cloud, companies need to integrate a single sign-on provider for every employee as the bare minimum to manage identity and access to cloud providers. Without that level of control \u2014 being able to provision and de-provision employees quickly \u2014 legacy attack surface area will continue to haunt companies, says Obsidian’s Chisholm.<\/span><\/p>\n

In addition, companies need to make sure that their SSO is properly set up to securely connect through strong authentication mechanisms, and just as importantly, older methods need to be turned off, while applications that have been granted third-party access should at least be monitored, he says.<\/span><\/p>\n

“Attackers are able to add a username and password to a credential, add the credential through a service account, and allow you to log into that service account, and no one was monitoring this,” Chisholm says. “No one was monitoring those third-party access accounts, those third party connections … but all those interconnections, plus all the ones that developers have created, become this incredible surface area that you get screwed through.”<\/span><\/p>\n

Snowflake <\/span>supports the System for Cross-domain Identity Management (SCIM)<\/a><\/span> to allow SSO services and software \u2014 the company <\/span>specifically names Okta SCIM and Azure AD SCIM<\/a><\/span> \u2014 to manage Snowflake accounts and roles.<\/span><\/p>\n

3. Find Ways to Limit the Blast Radius of a Breach<\/h2>\n

The data leaks facilitated by Snowflake’s complex security configurations may eventually rival, or even surpass, previous breaches. At least one report <\/span>discovered as many as 500 legitimate credentials<\/a><\/span> for the Snowflake service online. Limiting or preventing access from unknown Internet addresses, for example, can limit the impact of a stolen credential or session key. In its latest update on June 11, Snowflake lists <\/span>296 suspicious IP addresses connected with information-stealing malware<\/a><\/span>.<\/span><\/p>\n

Finding other ways to limit the attack path to sensitive data is key, says SpecterOps’ Atkinson.<\/span><\/p>\n

“We know from experience and the details of this particular incident \u2014 the creds were likely stolen from a contractor\u2019s system and access to that system could bypass all of Snowflake\u2019s recommendations \u2014 that one can only reduce the attack surface so much,” he says. “A subset of attackers will still make it through. Attack-path management will severely limit an attacker\u2019s ability to access and carry out effects against resources once they have access.”<\/span><\/p>\n

Network policies can be used to allow known IPs to connect to a Snowflake account while blocking unknown Internet addresses, according to <\/span>Snowflake documentation<\/a><\/span>.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

More than a month after a spate of data theft<\/p>\n","protected":false},"author":12,"featured_media":4312,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-4311","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/3-ways-to-chill-attacks-on-snowflake.jpg?fit=1920%2C1080&ssl=1",1920,1080,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/3-ways-to-chill-attacks-on-snowflake.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/3-ways-to-chill-attacks-on-snowflake.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/3-ways-to-chill-attacks-on-snowflake.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/3-ways-to-chill-attacks-on-snowflake.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/3-ways-to-chill-attacks-on-snowflake.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/3-ways-to-chill-attacks-on-snowflake.jpg?fit=1920%2C1080&ssl=1",1920,1080,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/3-ways-to-chill-attacks-on-snowflake.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/3-ways-to-chill-attacks-on-snowflake.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/3-ways-to-chill-attacks-on-snowflake.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/07\/3-ways-to-chill-attacks-on-snowflake.jpg?fit=1920%2C1080&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4311","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4311"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4311\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/4312"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}