More than a month after a spate of data theft of Snowflake environments, the full scope of the incident has become more clear: at least 165 likely victims, more than 500 stolen credentials, and suspicious activity connected to known malware from nearly 300 IP addresses.
In June, the cloud data service provider washed its hands of the incident, pointing to the cybersecurity investigation report published by its incident response providers Google Mandiant and CrowdStrike, which found that 165 Snowflake customers had potentially been impacted by credentials stolen through information-stealing malware.
In a June 2 update, Snowflake confirmed that it found no evidence that a vulnerability, misconfiguration, breach, or stolen employee credential had led to the data leaks.
Snowflake urged its customers to ensure multifactor authentication is running on all accounts; to create network policy rules that limit IP addresses to known, trusted locations; and to reset Snowflake credentials.
Here are some additional defenses that security teams should consider to detect security failures in their Snowflake and other SaaS cloud services.
Collect Data on Accounts and Regularly Analyze It Security teams first need to understand their SaaS environment and monitor that environment for changes.
In the case of Snowflake, the Snowsight web client can be used to collect data on user accounts and other entities - such as applications and roles - as well as information the privileges granted to those entities.
Snowflake, for example, has five different administrative roles that customers can provision, according to SpecterOps, which analyzed potential attack paths in Snowflake.
The Snowflake access graph can become complex very quickly.
Because companies tend to overprovision roles, an attacker can gain capabilities through nonadministrative roles, says SpecterOps chief strategist Jared Atkinson.
Querying for users who have a password set - as opposed to the password value set to False, which prevents password-based authentication - and looking at login history for which authentication factors have been used are possible ways to detect suspicious or risky user accounts.
Provision Users Accounts Through an ID Provider With modern business infrastructure increasingly based in the cloud, companies need to integrate a single sign-on provider for every employee as the bare minimum to manage identity and access to cloud providers.
Companies need to make sure that their SSO is properly set up to securely connect through strong authentication mechanisms, and just as importantly, older methods need to be turned off, while applications that have been granted third-party access should at least be monitored, he says.
Snowflake supports the System for Cross-domain Identity Management to allow SSO services and software - the company specifically names Okta SCIM and Azure AD SCIM - to manage Snowflake accounts and roles.
Find Ways to Limit the Blast Radius of a Breach The data leaks facilitated by Snowflake's complex security configurations may eventually rival, or even surpass, previous breaches.
At least one report discovered as many as 500 legitimate credentials for the Snowflake service online.
Limiting or preventing access from unknown Internet addresses, for example, can limit the impact of a stolen credential or session key.
In its latest update on June 11, Snowflake lists 296 suspicious IP addresses connected with information-stealing malware.
Finding other ways to limit the attack path to sensitive data is key, says SpecterOps' Atkinson.
Network policies can be used to allow known IPs to connect to a Snowflake account while blocking unknown Internet addresses, according to Snowflake documentation.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 03 Jul 2024 00:25:27 +0000