Safeguarding Your Snowflake Environment from Identity Attacks

In the digital age, data is a priceless asset, and the security of this data is paramount. As you may have heard the Mandiant uncovered a threat campaign targeting Snowflake customer instances, revealing the sinister activities of a financially motivated threat actor group tracked as UNC5537. Let’s dive into the details and explore how to protect your organization from such threats.

The UNC5537 Threat Campaign

UNC5537 has exploited vulnerabilities in Snowflake customer environments, primarily using stolen credentials obtained through infostealer malware. These stolen credentials, often valid for years due to poor key management practices, have been the linchpin of their attack strategy. The threat actors gained unauthorized access, exfiltrated valuable data, and subsequently attempted to sell this data on cybercriminal forums.

Mandiant’s investigation highlighted three critical factors that contributed to the success of these attacks:

1. Lack of Multi-Factor Authentication (MFA): Many affected accounts didn’t have an MFA enabled, making it easy for attackers to gain access with just a valid username and password.
2. Stale Credentials: Credentials stolen years ago were still in use, and they had not been rotated or updated, providing attackers with a direct route into the systems.
3. Absence of Network Allow Lists: Snowflake customer instances lacked network allow lists, permitting access from untrusted locations.

The Importance of Identity and Access Hygiene

The UNC5537 campaign underscores the critical importance of identity and access hygiene. Here are some best practices to mitigate such threats:

1. Enable Multi-Factor Authentication (MFA): Ensure MFA is enabled for all accounts to add an extra layer of security.
2. Regular Credential Rotation: Regularly rotate credentials and avoid using static keys. Implement policies for automatic expiration and renewal.
3. Network Allow Lists: Configure network allow lists to restrict access to trusted IP addresses only.
4. Real-Time Access Reviews: Conduct dynamic, risk-based access reviews to ensure that permissions and entitlements are necessary and safe.

This attack highlights the need to reassess Identity Provider (IDP) infrastructures, especially as new applications, data platforms, and AI advancements drive a multi-IDP era.

Imagine the multi-IDP era as a network of interconnected nature trails in the beautiful state of California, each ending in a stunning ocean vista. A user or attacker begins their journey at Workday, winding through trails like Okta, Active Directory, AWS IAM, Azure RBAC, Snowflake, Databricks, MongoDB, and more. Along this path, a regular user in Workday may have “God-like” privileges in Snowflake. How do we know this? How are these identities linked?

Each IDP introduces its silos of identity security processes. The challenge is understanding identity control plane risks across this complex trail. To address this, consider the following steps:

1. Unified Identity Visibility: Gain comprehensive visibility into all identity populations across different IDPs.
2. Identity Analytics: Utilize analytics to identify exposures, weak MFA configurations, and other vulnerabilities.
3. Continuous Governance: Implement continuous monitoring and governance controls to manage identity risks effectively.

Moving Forward: A Call to Action

The fallout from the UNC5537 campaign is still unfolding, but it has provided valuable lessons for improving identity security. As organizations increasingly adopt cloud platforms and modern applications, it’s crucial to rethink identity control planes for better security and simplified management.

The tactical response might be to enable MFA or invest in an Identity Posture solution. Yes, that is needed. However, the problem demands a deeper look. Why are customers managing identities inside Snowflake versus Okta? Because that’s what the application ecosystem demands. Modern applications need a fundamental rethink of the identity control plane for unified visibility, exposure detection, and continuous governance.

At Stack Identity, we are committed to innovating solutions that enhance security in multi-IDP environments. By focusing on unified visibility, exposure identification, identity security, and continuous governance, we aim to help organizations stay ahead of evolving threats.