Watching the recent Snowflake customer attacks unfold felt a bit like rewatching a horror movie with predictable attack sequences and missed opportunities to run to safety. But this time, the ending was far more devasting. More than 100 organizations were exposed, and many are now grappling with the impacts of data theft and extortion in what some are calling one of the largest breaches in history.
As I reflect on the widely publicized incident, I keep coming back to the data. Data is what your organization is built on, what sets you apart. How you secure (or fail to secure) your data can dictate your fate. Because threats don’t always knock directly on your door, increasingly, they reach into your tangled web of providers and partners to get to you. To protect your data – the lifeblood of your digital business – you’ve got to think bigger than your own organization. My top three takeaways from the Snowflake attacks reflect this reality.
1. Info stealers are everywhere – and can cause rippling damage. The ShinyHunters group recently claimed responsibility for the Snowflake campaign, alleging that they gained access to organizations’ Snowflake accounts with the help of info stealer malware and an unsuspecting third-party contactor. Snowflake has not publicly confirmed this claim. However, its incident response partners stated that “stolen credentials obtained from multiple info stealer malware infections on non-Snowflake-owned systems were the point of entry for the attacks.”
Info stealers – malware designed to steal sensitive information – are widely used in credential-based attacks because they’re cheap, readily available and don’t require much technical know-how. Threat actors banking on poor password practices can purchase logs stolen by info stealers to launch targeted attacks that can ripple across supply chains. In the case of Snowflake, they hit the jackpot. Investigators found that 80% of the accounts used in the campaign had prior credential exposure – and linked some credentials to infections back in 2020. If that doesn’t prompt organizations to beef up password policies for their employees and third-parties, what will?
2. MFA isn’t optional. Period. Many of these identity-based attacks compromised Snowflake user accounts because the accounts did not require multi-factor authentication (MFA).
Inadequately protected credentials are (still) low-hanging fruit for attackers. As the threat landscape continues to evolve rapidly, MFA is a critical identity security layer, not a “nice to have.” Unfortunately, too many organizations have learned this the hard way, with 25% making (or increasing) investments in MFA and high assurance after an identity-related breach.
Breaking this cycle must start with increased SaaS provider support and can succeed with consistent customer follow-through. Delivering secure solutions isn’t enough; critical SaaS vendors must also empower customers with the right controls and best practices to help them make sound security decisions. For example, SaaS customers should be able to mandate MFA for all user accounts, forgo SMS push notifications for more secure authentication methods to thwart MFA bypass attacks and utilize biometrics to limit the effects of info stealers. In turn, these customer organizations must implement these advanced security controls consistently to reduce the most risk possible.
3. Default encryption keys jeopardize data security. Lax identity security practices reportedly ignited this recent firestorm of attacks, while data security missteps fanned the flames. Specifically, numerous organizations relied on default encryption keys to protect their data within Snowflake’s platform instead of bringing their own keys.
Bring your own key (BYOK) is a widely accepted best practice for preserving security and centralized control of encrypted data. With BYOK, the customer creates and manages their own encryption keys for the application’s underlying cloud infrastructure (e.g., AWS, Google Cloud or Microsoft Azure). This gives the customer greater control over who and what can access their data within the application, full ownership of the data lifecycle and the ability to revoke the SaaS provider’s access to the keys when required. If an attacker manages to compromise the SaaS provider – directly or indirectly – the customer’s data will remain encrypted and unintelligible.
Five Steps to Strengthen Data Security in an Interconnected World
A compromise on one party can lead to a compromise on all. Is your organization prepared for the fallout? In the wake of the Snowflake customer attacks, here are six recommendations for enhancing cyber resilience across your supply chain so you’re ready to face whatever comes next – wherever it comes from:
- Raise the bar for credential theft. Today’s thriving info stealer market further proves that passwords are the weakest link in the security chain. Make a game plan to secure all employee credentials and enforce an enterprise-wide password policy if you haven’t already done so. Stay current on emerging tactics, techniques and procedures (TTPs) involving info stealer malware and incorporate this threat intelligence into regular cybersecurity training. It may also be a good time to explore how passkeys could help your organization eliminate passwords from authentication workflows.
- Strengthen third-party authentication with PAM. Every cloud service provider, SaaS provider and third-party you bring into your digital ecosystem exponentially increases your risk. Your identity security strategy must account for them all. Implement phishing-resistant MFA for outside parties with access to your sensitive data and infrastructure. Mirror privileged access management (PAM) best practices established for internal purposes – such as storing privileged identities in a secure repository, isolating and monitoring sessions and provisioning just-in-time (JIT) access – to strengthen third-party authentication. Consider a vendor PAM solution that ties into your organization’s existing enterprise PAM solution to help improve efficiency and make it easier to apply policies consistently.
- Bring your own key (BYOK). When evaluating cloud-based solutions – particularly those involving your sensitive information – make sure they support BYOK for data encryption. While BYOK isn’t completely fail-safe, it’s an additional security layer that could potentially halt a dangerous chain reaction through the digital supply chain.
- Reduce complexity and gain visibility with SaaS security. Organizations are struggling to maintain visibility across disparate environments. This isn’t due to a lack of cybersecurity tools; 94% already use more than 10 identity-related vendors. Create a plan to consolidate your vendor stack (this may involve deprecating legacy systems) to the best tools for your environment. During this exercise, you may find that SaaS security is the right fit for your business. SaaS security offerings can help you centrally monitor business-critical SaaS programs and systems and gain full visibility on things like risky configurations and potential vulnerabilities. Armed with actionable insights, you can take the proper steps – in the right priority order – to decrease the attack surface.
- Assess critical vendors regularly. The visibility gap extends deep into the digital ecosystem, where risk from third- and fourth-party providers is challenging to evaluate regularly. Instead of trying to do everything all at once, use a SaaS tool or establish a process to prioritize your most critical vendors – those who interact with your most sensitive data and assets. Then, establish a regular cadence for complete risk assessments and validation. Once a year is typically a good starting point.
An Incident Response Worth Rewatching
The Snowflake breach reminds us that no organization is immune to attacks while reinforcing the need for constant vigilance at both organizational and digital ecosystem levels. Throughout these difficult weeks, the Snowflake team acted swiftly and communicated transparently. I commend them for their response and the work they’re doing to advance customer cybersecurity protections. May their efforts help fuel a broader push toward security and resiliency standards for all critical SaaS vendors – for the benefit of all.
Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.