The recent breaches involving Snowflake tenants have sent ripples across organizations worldwide and within the IT and security teams that strive to protect them.
Incidents involving the cloud data warehousing platform highlight the critical need for robust identity security measures to protect sensitive data and limit unauthorized access. In this blog, you'll learn practical steps to reduce your risk of similar identity-based attacks.
In the Snowflake breach, financially motivated attackers set out to steal data and extort their victims. According to statements from Snowflake, "We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake's platform."
Rather, the identity-based attack leveraged compromised customer credentials purchased from cybercrime forums or obtained through information-stealing malware. The statement further said nefarious activity is directed against Snowflake customers with single-factor authentication. This type of pattern is a typical example of the identity attack chain (see diagram below) in action.
While Snowflake publicly shared information in June 2024, the attack is believed to have started in April, much longer than the typical dwell time between initiation and detection. Reports indicate that the sensitive data of 165 Snowflake customers has been exposed.
To fortify your defenses and reduce the impact of cyber incidents like those affecting Snowflake tenants, here are some steps you can take:
Leaked credentials, such as passwords, are a common entry point for attackers. Regularly scanning for known leaked credentials helps identify compromised accounts before they can be exploited. By integrating automated tools that check for these leaks, you can take swift action to secure vulnerable accounts and prevent unauthorized access.
Multi-factor authentication (MFA) is a critical identity security measure that adds an extra layer of protection to any access request. Ensuring that all users have MFA enabled reduces the risk of account hijacking, even if credentials are compromised. Enforce MFA at depth, meaning at all interactions along the identity-attack chain, including initial log-in and privilege elevation. Regularly auditing your user base for MFA compliance can significantly enhance your security posture.
Abnormal identity behavior can be a strong indicator of a hijacked privileged account or set of valid credentials. Implementing behavioral analytics to monitor for unusual activities, such as login attempts from unfamiliar locations or login attempts at odd hours, allows you to detect and respond to potential threats in real time.
People who leave the organization but retain access to systems pose a significant security risk. Ensuring a thorough offboarding process, which includes revoking access to all systems and applications, is crucial. Automated tools can help identify and alert you about any "leavers" who still have active access.
Unused access, often from former employees, contractors/vendors who have completed their work, or unused service accounts, creates unnecessary vulnerabilities. Privileged Access Management (PAM) Solutions allow you to set timeframes so that access expires automatically, and you avoid the risk of standing access. In addition, regularly reviewing and removing access for users who no longer need it minimizes your attack surface and reduces the risk of unauthorized access.
Inactive privileged accounts are prime targets for attackers. By disabling accounts that have not been used for a specified period, you reduce the number of potential entry points for malicious actors. Automated processes can help you discover and deactivate these accounts efficiently.
Many organizations use third-party applications, like Snowflake, which require privileged access. Privileged access is an elevated level of permission given to administrators so they can manage the system. Continuously discovering and managing this access ensures that only authorized users have the necessary permissions. Regular audits help protect sensitive data and remove unneeded access, preventing potential breaches.
Delivered on the Delinea Platform as part of an intelligent, centralized identity security solution are two offerings designed to provide comprehensive security coverage and automate the proactive measures as discussed above:
Identity Threat Protection helps detect and respond to identity-related threats in real time by monitoring for abnormal behavior, scanning for leaked credentials, and ensuring that inactive or unused accounts are promptly deactivated. This capability is often referred to as Identity Threat Protection and Response (ITDR).
Privileged Control for Cloud Entitlements provides continuous discovery of privileged access across cloud service providers, ensuring that access permissions are always up-to-date and that former employees' access is revoked swiftly. Entitlements of human and machine identities in cloud provider environments are discovered, monitored, and removed when no longer needed. This capability is often referred to as Cloud Identity Entitlement Management (CIEM).
The security measures outlined are available as part of Delinea's solutions, enabling you to achieve a higher level of security without extensive manual effort. These tools work together in the Delinea Platform to provide a robust defense helping to thwart breaches like the one that recently impacted Snowflake customers.