Greater than a month after a spate of knowledge theft of Snowflake environments, the complete scope of the incident has turn out to be extra clear: not less than 165 probably victims, greater than 500 stolen credentials, and suspicious exercise linked to identified malware from practically 300 IP addresses.
In June, the cloud knowledge service supplier washed its fingers of the incident, pointing to the cybersecurity investigation report printed by its incident response suppliers Google Mandiant and CrowdStrike, which discovered that 165 Snowflake prospects had probably been impacted by credentials stolen by way of information-stealing malware. In a June 2 replace, Snowflake confirmed that it discovered no proof {that a} vulnerability, misconfiguration, breach, or stolen worker credential had led to the info leaks.
“[E]very incident Mandiant responded to related to this marketing campaign was traced again to compromised buyer credentials,” Google Mandiant acknowledged.
Snowflake urged its prospects to make sure multifactor authentication (MFA) is operating on all accounts; to create community coverage guidelines that restrict IP addresses to identified, trusted areas; and to reset Snowflake credentials.
These measures, nevertheless, are usually not sufficient, say consultants. Firms want to pay attention to how their SaaS assets are getting used and never depend on customers selecting safety over comfort.
“Should you construct a system that depends on people by no means failing, you then’ve constructed a extremely unhealthy system,” says Glenn Chisholm, co-founder and chief product officer at SaaS safety supplier Obsidian Safety. “Good engineers design programs that count on human failure.”
Listed below are some further defenses that safety groups ought to take into account to detect safety failures of their Snowflake and different SaaS cloud providers.
1. Gather Information on Accounts and Repeatedly Analyze It
Safety groups first want to grasp their SaaS surroundings and monitor that surroundings for modifications. Within the case of Snowflake, the Snowsight net consumer can be utilized to gather knowledge on person accounts and different entities — reminiscent of functions and roles — in addition to info the privileges granted to these entities.
The image that develops can shortly develop complicated. Snowflake, for instance, has 5 completely different administrative roles that prospects can provision, in keeping with SpecterOps, which analyzed potential assault paths in Snowflake.
The Snowflake entry graph can turn out to be complicated in a short time. Supply: SpecterOps
And, as a result of firms are inclined to overprovision roles, an attacker can achieve capabilities by way of nonadministrative roles, says SpecterOps chief strategist Jared Atkinson.
“Directors are inclined to extra simply grant entry to assets, or they grant barely extra entry than the person wants — assume admin entry as an alternative of write entry,” he says. “This may not be an enormous downside for one person with one useful resource, however over time, because the enterprise grows, it could actually turn out to be an enormous legal responsibility.”
Querying for customers who’ve a password set — versus the password worth set to False, which prevents password-based authentication — and taking a look at login historical past for which authentication components have been used are potential methods to detect suspicious or dangerous person accounts.
2. Provision Customers Accounts By an ID Supplier
With trendy enterprise infrastructure more and more primarily based within the cloud, firms have to combine a single sign-on supplier for each worker because the naked minimal to handle identification and entry to cloud suppliers. With out that degree of management — with the ability to provision and de-provision workers shortly — legacy assault floor space will proceed to hang-out firms, says Obsidian’s Chisholm.
As well as, firms have to be sure that their SSO is correctly set as much as securely join by way of robust authentication mechanisms, and simply as importantly, older strategies have to be turned off, whereas functions which were granted third-party entry ought to not less than be monitored, he says.
“Attackers are in a position so as to add a username and password to a credential, add the credential by way of a service account, and help you log into that service account, and nobody was monitoring this,” Chisholm says. “Nobody was monitoring these third-party entry accounts, these third get together connections … however all these interconnections, plus all those that builders have created, turn out to be this unimaginable floor space that you just get screwed by way of.”
Snowflake helps the System for Cross-domain Id Administration (SCIM) to permit SSO providers and software program — the corporate particularly names Okta SCIM and Azure AD SCIM — to handle Snowflake accounts and roles.
3. Discover Methods to Restrict the Blast Radius of a Breach
The information leaks facilitated by Snowflake’s complicated safety configurations might finally rival, and even surpass, earlier breaches. At the least one report found as many as 500 reputable credentials for the Snowflake service on-line. Limiting or stopping entry from unknown Web addresses, for instance, can restrict the affect of a stolen credential or session key. In its newest replace on June 11, Snowflake lists 296 suspicious IP addresses linked with information-stealing malware.
Discovering different methods to restrict the assault path to delicate knowledge is essential, says SpecterOps’ Atkinson.
“We all know from expertise and the main points of this explicit incident — the creds had been probably stolen from a contractor’s system and entry to that system might bypass all of Snowflake’s suggestions — that one can solely cut back the assault floor a lot,” he says. “A subset of attackers will nonetheless make it by way of. Assault-path administration will severely restrict an attacker’s means to entry and perform results in opposition to assets as soon as they’ve entry.”
Community insurance policies can be utilized to permit identified IPs to connect with a Snowflake account whereas blocking unknown Web addresses, in keeping with Snowflake documentation.
