Numerous Snowflake customers have reported cybersecurity incidents over the past weeks pointing to Snowflake as a likely nexus in the incidents. Separately, the threat actor group claims it breached Snowflake’s network and had access to hundreds of customers. Although Snowflake denies this claim, researchers have viewed sample data from the threat actor group and attested that it appears to be legitimate. One researcher noted the volume of even the sample data they were provided complicated the verification process.
Snowflake Incident Response Analysis
Incident response firms have issued a joint statement with Snowflake saying they had not identified signs of a central incident at Snowflake. However, they noted significant targeting of customer tenants, particularly those without MFA. Customers with known indicators of attack were contacted individually by Snowflake.
Be Aware of Third and Fourth+ Party Vendor Risks
Even if you do not use Snowflake, you can be assured that someone in your supply chain does. Snowflake helps customers manage the creation and operation of data lakes. By definition, these are intended to store vast troves of data. If you are a Snowflake customer, work with your data teams to identify the data stored in Snowflake. You should do this even if you were using MFA and following best practices for authentication.
Whether or not you use Snowflake, urge your vendor management team to reach out to your third parties and ask for exposure assessments. Specifically ask whether the data lake contains information that might be used to laterally move to other systems. This could include data like API keys.
Download: Third Party Ransomware Incident Handling Playbook
Guidance and Next Steps for Snowflake IR
At this time, Snowflake (with the backing of two high-profile IR firms) is asserting that the incidents are related to customers deploying insecure defaults. They claim there is no breach of Snowflake itself.
This is a developing situation, and IANS is continuing to monitor it. Take appropriate steps to be ready to respond should a systemic incident at Snowflake be identified that impacts your data. Here is some high-level guidance to handle the situation and protect the org from potential breaches:
- Reset passwords and disable any inactive accounts. Ensure all developer accounts using Snowflake are using MFA (if this is not true, do this immediately).
- Snowflake has reached out to other customers where suspicious activity was observed on their platform. If contacted, take the following actions to investigate and mitigate risk:
- Analyze your logs, especially with relation to Snowflake and have/have not observed any indicators and signs of potential intrusion from Snowflake. Snowflake has published indicators for threat actors targeting their platform.
- Engage with vendor management teams to assess and contextualize your exposure through third and fourth+ parties who may be using Snowflake to process your data. Align cybersecurity and third-party risk together.
- Consider treating any authentication material in Snowflake as compromised to prevent follow-on intrusions. If applicable, document the steps you are taking. If not applicable, document why the criteria used to reach the assessment found that your authentication material is safe.
How IANS Faculty Expertise Benefits You
Cybersecurity today is faced with a myriad of complex challenges, and the IANS Faculty will help you make informed security decisions that protect your business. By focusing on the vendor takeaways in this Faculty piece, you can strengthen your organization’s security posture and your own.
Whether you need guidance on program direction, a tie-breaking opinion on architectural considerations, tool implementation advice, a comprehensive security assessment, a penetration test, or mapping controls to a regulatory standard, we are a trusted partner to provide the best decision support for your security team.
Our mission is to help you make better, faster decisions, grow professionally, and stay compliant. Get in touch with IANS to learn more about how we can help move your security program forward.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.