Get in touch
Log in

Use Cases

User onboarding

User data protection and residency

API and Workload identity

Identity Threat Detection and Response

Non-human identity management

Credential Rotation and Secretless Access

Protect non-federated applications

Pricing

Developers

Blog

Careers

1
Log in
Security

Protecting against Snowflake breaches

In the last few weeks several very high-profile breaches have been in the news, from Santander to Ticketmaster and AT&T.

These breaches all have the same attack vector: identity-based attacks against Snowflake instances.

In this article, we discuss the causes of the breach and our approach to protect against identity-based attacks against Snowflake.

Vincenzo Iozzo
Vincenzo Iozzo 15 Jul, 2024

Introduction

In the last few weeks, numerous Snowflake customers experienced very significant data breaches.

All the breaches were attributed to compromised credentials and the lack of multi-factor authentication (MFA) among customers.

The attackers utilized stolen credentials from various infostealer malware to gain access to sensitive data. High-profile companies such as Ticketmaster, Santander, Advance Auto Parts, and, most recently, AT&T were affected. The attackers believed to be the ShinyHunters group, are one of the more prolific groups involved in several high-profile breaches over the years.

Let’s dig deeper into Snowflake and how to prevent these breaches in the future.

The Snowflake identity model

Snowflake has 3 key identity and access concepts that form the backbone of IAM.

  1. Roles: They define a set of permissions that determine what actions a user or a group of users can perform within the Snowflake environment. Roles can be organized in a hierarchical manner, where roles can inherit permissions from other roles
  2. Users: Users in Snowflake represent individuals or entities that need access to Snowflake’s resources. Crucially, users can be used as “service accounts” through passwords and RSA key pairs.
  3. Service Integration: These represent integration with third-party systems, either via OAuth 2.0 or API keys. This is also how a Snowflake instance can be provisioned through a third-party IdP.

Notably, Snowflake natively supports only the following authentication methods for a User:

  1. Password
  2. RSA keys
  3. MFA via Duo

As discussed, from what is publicly known, all the breaches in the past few months show the same pattern: the attacker ran a credential-stuffing attack against Snowflake instances that weren’t protected by RSA.

Note, however, that this is the low-hanging fruit. More sophisticated attackers could target MFA-enabled accounts through AITM, MFA Fatigue, and several other attacks.

How can SlashID help

As we discussed in our previous article on NHI - at SlashID we believe that the Identity Security maturity model should follow a familiar pattern we have seen in endpoints and other security areas:

  1. Visibility
  2. Detection
  3. Remediation
  4. Prevention

Towards this end, we are happy to announce support for Snowflake in our Identity Security product.

Through SlashID you can:

  1. Visualize and collect all roles, users, and service integrations for all your Snowflake instances
  2. Detect identity-based attacks or lateral movement
  3. Prevent and remediate by rotating credentials and dropping privileges
identity list

In particular, SlashID can detect several attack patterns, including:

  1. The provisioning of malicious users or integrations
  2. Credential stuffing attempts
  3. Authentication attempts from malicious or suspicious IP addresses, times of the data, and locations
  4. Overprivileged accounts
  5. Stale accounts and credentials
user detail

Beyond detections, SlashID can help rotate credentials, suspend/block users, turn on MFA, and, update roles.

Conclusion

Snowflake contains some of the most sensitive user data a company has and it’s a very complicated system to secure properly, reach out to us to see how SlashID can help secure your Snowflake instances.

Found this article useful to your project?

Let's chat about it.

Get in touch

Related articles

Identity Security: The problem(s) with federation
Security

Identity Security: The problem(s) with federation

Federating trust with an identity provider (IdP) is common practice to centralize identity governance.

Vincenzo Iozzo
Vincenzo Iozzo
· 30 Sep, 2024
Non-Human Identities Security: Breaking down the problem
Security

Non-Human Identities Security: Breaking down the problem

Compromised non-human identities are increasingly being leveraged by attackers to gain initial access and as a vector for lateral movement.

Vincenzo Iozzo
Vincenzo Iozzo
· 16 Sep, 2024
ODPR: A Framework for Securing Non-Human Identities
Security

ODPR: A Framework for Securing Non-Human Identities

Identity-based attacks have become the primary way attackers move laterally in a network. They are also responsible for half of the initial intrusions.

Ben Reinheimer
Ben Reinheimer
· 17 Jun, 2024
SlashID /Identity at scale
••••••••••••••••••••••

Secure your identities

The identity stack to protect users and non-human identities.

Get in touch