In the last year, we have seen a sequence of breaches that have impacted major SaaS vendors, such as Microsoft and Okta. Snowflake has been in the news recently due to attacks targeted at customer-owned systems. As these risks rise, it is crucial for organizations to act swiftly and effectively to mitigate any potential threats. This guide documents steps you can take to assess & respond to any potential breaches.
Take the steps below to eliminate an immediate risk to your Snowflake environment. Review our accompanying blog to ensure ongoing security of your Snowflake environments.
Step 1: Immediately Shut Down High Risk Activity to Snowflake
Take the following steps to shut down potential threat activity and minimize breach impact.
A) Seal Potentially Risky Access Points
- Remove accounts with local access, placing them behind your Identity Provider (IDP). Attackers often create local access as backup pathways to access the system.
- Review every local account to ensure they are indeed needed.
- For any necessary local access, use client ID and secret for service accounts and Multi-Factor Authentication (MFA) for human accounts.
- Note: We discover local accounts at a vast majority of customer deployments and often these don’t have MFA enabled either – providing attackers an easy pathway.
B) Review Network Policies
- Reassess network policies, especially for highly privileged users and service accounts. Minimize any open pathways for attackers to access and exfiltrate information, especially using privileged accounts.
- Prioritize examining service accounts and highly privileged local users to prevent compromised accounts from extracting data.
C) Rotate Passwords and Credentials
- Rotate passwords of users with legitimate local access. Especially, change passwords for local accounts immediately to eliminate any access attackers may have using these accounts.
- Rotate credentials of service accounts. Remember that this requires appropriate communications to anyone or any service using these accounts as well.
D) Temporarily Suspend Accounts
- Suspend any service accounts or accounts created in the last 30 days, unless you have a specific reason documented for the account. As mentioned above, attackers often create backdoor accounts for persistence.
E) Suspend Recent Data Shares
- Review and suspend any data shares created in the last 30 days to prevent unauthorized data access – this follows the same reasoning as earlier – eliminate potential exfiltration pathways.
Some of these steps could be disruptive, so it’s prudent to document every change and communicate with business users as early and as often as necessary.
Step 2: Identify If You Are Compromised
A) Review Indicators of Compromise (IOCs)
- Examine suspicious and disclosed IOCs, including a broad IP list and specific clients like rapeflake and DBeaver_DBeaverUltimate running from Windows Server 2022. Snowflake has published a detailed set of IOCs in their knowledge base.
B) Review Abnormal Login Activity
- Analyze password-only logins for the last 30 days. If you are an Obsidian user, you can use the following OQL expression with the platform:
event:snowflake.LOGIN AND raw:”FIRST_AUTHENTICATION_FACTOR\”:\”PASSWORD” AND raw:”SECOND_AUTHENTICATION_FACTOR\”:\ null”
- Look for bruteforce activity and successful logins to identify potentially compromised accounts.
C) Review Recent Accounts and Activities
- As mentioned earlier, attackers often created other accounts as backup pathways. Examine service accounts and users created in the last 30 days, considering suspension until verified.
- If you are an Obsidian customer, use the user view filter for accounts created in the last 30 days.
- If you are an Obsidian customer, use the integration risk view filter for integrations created in the last 30 days.
- Review query history for activities against sensitive tables, data volume extraction, and any GRANT statements. Attackers tend to grant themselves extra privileges for data exfiltration.
D) Check Privileged Role Grants
- A simple change in privileges changes what the attackers have access to. Review accounts granted privileged roles in the last 30 days for any suspicious privilege escalation, matching the regex pattern:
^CREATE.*|^APPLY.*|^MANAGE.*|^EXECUTE.*|ATTACH POLICY|IMPORT SHARE|OVERRIDE SHARE RESTRICTIONS|DELETE
E) Examine New Data Shares
- Review new data shares created in the last 30 days with your organization to ensure their legitimacy.
Ongoing Security for Your Snowflake Environments
There are a few key steps you can take to ensure your Snowflake environments stay protected in the long run. It includes hardening the posture of your environments, governing the data movements and protecting the identities associated with Snowflake. Review this associated blog to learn the best steps you can take.
Next Steps
Remember that the steps above help you overcome the immediate risk. Ensure that you go beyond immediate steps to working on the long-term safety of your environment.
Obsidian has helped several organizations automate their workflows and ensure security of their Snowflake environments. To learn more about how Obsidian can help you or to get an assessment of your Snowflake deployment contact us today.
