The Snowflake Snowball of Data Breaches: A Wake-Up Call for SaaS-Identity Security

Imagine waking up to find that your company’s data might be part of one of the largest breaches in history. On June 2nd, Snowflake , a leading data warehouse SaaS used by nearly ten thousand customers including giants like AT&T, CapitalOne, Mastercard, and NBC Universal, revealed a potential breach. Partnering with cybersecurity experts CrowdStrike and Mandiant (part of Google Cloud) , Snowflake announced an investigation into a targeted attack that could redefine the scale of data breaches. Snowflake's security troubles continue to escalate, with reports of at least 165 victims affected as of June 24, including major companies like Ticketek Australia and Advance Auto Parts . Interestingly, a hacker from the ShinyHunters group claimed they accessed Snowflake's systems through compromised third parties.

As the investigation continues, Snowflake clarified that the breach likely reflects customer security practices rather than their own system’s vulnerability. A significant factor? The failure to enable multi-factor authentication (MFA), leaving accounts vulnerable to phishing, credential stuffing, and theft. Snowflake is now urging all customers to implement MFA and other security controls.

Let’s delve into what we know so far and what this means for the future of SaaS-identity security.

Preliminary Findings: An Expansive Attack

So far, the investigation has unveiled critical insights:

The first known sale of stolen Snowflake data occurred on May 24. Snowflake disclosed the breach on May 30, offering guidance to customers. The company suspects infostealer malware as the source of the attacks, though the rapid targeting of Snowflake remains unexplained. The investigation continues.

• Widespread Impact: High-profile victims like LendingTree , Santander and Ticketmaster have been mentioned, with Ticketmaster’s breach potentially affecting over half a billion users.
• Credential Exploitation: Attackers reportedly used credentials from a Snowflake employee’s ServiceNow account, bypassing single sign-on controls. These credentials provided insights into potential targets, emphasizing the focus on businesses’ authentication processes.

Dissecting the Attack: Tools, Techniques, and Procedures

To grasp the Snowflake attack, we must understand the tools, techniques, and procedures (TTPs) involved, as mapped against the MITRE ATT&CK SaaS Matrix:

Initial Access

Attackers aim to infiltrate networks by acquiring legitimate user accounts through methods such as:

• Compromised Credentials: Buying previously exposed usernames and passwords.
• Phishing: Sending deceptive emails to extract sensitive information.
• Info Stealing Malware: Deploying malware to capture passwords and financial data.

Account Access

Exploiting legitimate user accounts to infiltrate cloud-based services is a common tactic. Techniques include:

? Credential Stuffing: Using automated tools to test stolen credentials.

? Token Theft: Exploiting SAML and session tokens to gain unauthorized access.

? Lack of MFA: Without MFA, attackers easily use stolen credentials to impersonate users and navigate networks.

The Shared Security Responsibility Model for SaaS

The Snowflake breach underscores the importance of adopting a shared responsibility model for SaaS security:

? Service Provider Responsibilities: Ensuring infrastructure security and compliance, as well as that the software is free from vulnerabilities and defects that would allow unauthorized access.

? Customer Responsibilities: Configuring data and access controls, implementing desired authentication (e.g. SSO and MFA), and conducting regular audits.

Strengthening Cybersecurity with Savvy

Understanding the Snowflake attack highlights poor identity hygiene as a major vulnerability. This breach emphasizes the need for robust SaaS security practices. Tools like Savvy can significantly enhance security by:

• Detecting SSO Bypass and Direct Logins: Monitoring direct logins to ensure authentication through secure SSO systems.
• Identifying Apps Without MFA Configuration: Continuous validation that MFA is enabled and enforced.
• Detecting Dormant Accounts and Automating Offboarding: Identifying and offboarding inactive accounts promptly.
• Identifying Weak, Reused, or Compromised Credentials: Providing visibility and prompting users to improve password security.
• Finding and Fixing Toxic Combinations of Risks: Combining minor risks to identify major vulnerabilities and taking automated actions.

Savvy’s identity-first approach helps organizations manage their SaaS environments effectively. By discovering weak authentication controls, evaluating toxic access combinations, and streamlining compliance processes, Savvy integrates SaaS-identity security into your overall IT strategy.