It’s been hard to miss all the circulating news around some…issues happening with customers of Snowflake, a very popular player in the realm of data warehouse vendors based out of Bozeman, Montana. They host and analyze an enormous amount of sensitive data, and can be considered quite a valuable target.
While the flavors of companies experiencing breaches seem to have no connection other than their usage of Snowflake, a very quiet thread can be traced through all the reports, and was substantiated in Mandiant’s recent technical write up.
Mandiant confirmed that the compromises of Ticketmaster, Santander Bank, and over 160 more organizations were the work of UNC5537, a financially motivated attacker who is now in possession of a treasure trove of data records. Credit card numbers, health information, or even trade secrets can be monetized or used for extortion.
The root cause here wasn’t stated to be a breach of Snowflake’s enterprise environment or a compromise of an employee, but rather stolen credentials. Some of these credentials dated back to 2020, and it’s suspected that many were gathered through exfiltrating malware. At the same time though, security researcher Kevin Beaumont has been very vocal about large gaps in the authentication design of Snowflake itself- network policies and MFA need to be enabled at the account and role level, which is manual and time-consuming.
Snowflake, like many other SaaS applications, operates under a shared responsibility model. They will make strides to secure your data on their end, but you are also responsible for enabling the appropriate security and access management controls. This is where things can go wrong quickly. If you aren’t knowledgeable around application specific configurations, don’t have a security team, or don’t know that the vendor isn’t fully securing your data, holes can be left and exploited.
Snowflake published an article sharing some quick and simple wins you can implement within your account to help further lock it down:
Multi-Factor Authentication (MFA)
In the world of authentication, credentials can get you far, but the enablement of multifactor authentication adds an additional layer of protection. This additional factor; whether it’s a code or a token, is something you have, but the credential stuffer doesn’t. MFA is like sliding the deadbolt so you can’t get in with just the key. These additional factors can be gathered with effort through social engineering, but it’s still considered a basic and helpful layer of defense. The recent Okta breach is a great example of effective MFA and device management in action.
All human user accounts should have MFA enabled or be managed through SCIM with Okta or another IDP. Service accounts can be trickier, but can be further protected with key-pair authentication, Snowflake OAUTH, or certificate-based authentication methods.
Network Policies
Snowflake Network Policies can be set at the user (role), integration (OAUTH), or network (IP) level. Organizations with VPNs or physical office locations are encouraged to set up policies that prohibit logins outside of those IPV6 ranges. It gets a little trickier when you have a partial or fully remote workforce - in these instances, it’s easiest to pair access pattern detections through your IDP with integration-level network policies to scope service accounts to a specific application through OAUTH.
Credential Rotation after Impact
Many of the credentials successfully used against these companies hadn’t been changed in years. While NIST no longer recommends frequent credential rotation, companies should be using long, complex passwords and storing and generating them in password managers. This significantly increases the effort needed to crack a login, while making it easier for users to not reuse the same password across multiple platforms.
If your company’s Snowflake instance was impacted, you are urged to update your credentials as soon as possible, and it may be worth looking into non-direct login options like SCIM or key-pair authentication.
The incredible success of this attack further highlights the need for increased focus on SaaS security, as this model can be easily and quickly pivoted to focus on other applications. Time and time again, we see companies brought to their knees by stolen credentials. When paired with a lack of multi-factor authentication or other basic misconfigurations and control gaps, it’s staggering to see how effective it can be. A strong foundational security program is key in today's threat landscape.
Add comment
Comments