After a recent spate of data theft in Snowflake environments, the extent of the incident has now been revealed, with at least 165 likely victims, over 500 stolen credentials, and suspicious activity linked to known malware from close to 300 IP addresses.
When the incident occurred in June, Snowflake distanced itself from the breach and deferred to the cybersecurity investigation findings published by its incident response partners Google Mandiant and CrowdStrike. The investigation report identified 165 Snowflake customers who may have been affected by credentials stolen through information-stealing malware. Snowflake reassured its users on June 2 that there was no indication of a vulnerability, misconfiguration, breach, or stolen employee credential being the cause of the data leaks.
Google Mandiant specifically stated that every incident they responded to in connection with this campaign was traced back to compromised customer credentials. In response, Snowflake strongly advised its customers to ensure that multifactor authentication (MFA) is implemented on all accounts, establish network policy rules restricting IP addresses to known and trusted locations, and reset Snowflake credentials as a precautionary measure.
While these security measures are crucial, experts caution that they may not be adequate. Companies must be vigilant about how their Software as a Service (SaaS) resources are utilized and should not solely rely on users prioritizing security over convenience. Glenn Chisholm, co-founder and chief product officer at SaaS security provider Obsidian Security, emphasized the importance of designing systems that anticipate human error rather than relying on humans to never make mistakes.
To enhance security in Snowflake and other SaaS cloud services, security teams should consider additional defenses beyond MFA. One key strategy is to collect data on accounts and regularly analyze it to detect any changes in the environment. Snowflake customers are advised to leverage the Snowsight web client to gather data on user accounts, applications, roles, and their associated privileges. SpecterOps noted that Snowflake offers five different administrative roles that customers can provision, which can lead to complex administrative paths within the system.
Moreover, companies should provision user accounts through an identity provider to manage access to cloud providers effectively. Chisholm highlighted the importance of integrating a single sign-on provider for every employee to streamline identity and access management. Snowflake supports SCIM (System for Cross-domain Identity Management) for secure connection with SSO services like Okta SCIM and Azure AD SCIM to manage accounts and roles efficiently.
The complexity of Snowflake’s security configurations has facilitated significant data leaks, potentially exposing as many as 500 legitimate credentials for the service online. To limit the blast radius of breaches, measures such as restricting access from unknown IP addresses and utilizing network policies to control connections can help mitigate the impact of stolen credentials or session keys.
SpecterOps’ Atkinson stressed the significance of managing attack paths to sensitive data effectively, as reducing the attack surface can only go so far in preventing breaches. Ultimately, a robust attack path management strategy can significantly restrict an attacker’s ability to exploit resources once inside the network.
In conclusion, the recent data theft incident in Snowflake environments underscores the critical importance of implementing robust security measures and proactive strategies to safeguard sensitive information in cloud services. By taking a comprehensive approach to security, companies can better protect their data and mitigate the risks posed by evolving cyber threats.