ALTR
/
Resources
/
ALTR Blog
/
Mandiant Threat Hunting Guide for Snowflake: ALTR Summary
Mandiant Threat Hunting Guide

Mandiant Threat Hunting Guide for Snowflake: ALTR Summary

Written by:
James Beecham
James Beecham
Founder & CEO
Published on Jun 26, 2024
Discover key insights from Mandiant’s investigation and actionable tips to enhance your data security.
Get PDF
Mandiant Threat Hunting Guide for Snowflake: ALTR Summary

Watch the Webinar

Get started for Free
Learn More

Recently, a significant data exfiltration event targeting Snowflake customer databases came to light, orchestrated by a financially motivated threat actor group, UNC5537. This group successfully compromised numerous Snowflake customer instances, resulting in data theft and extortion attempts. It's important to note that Mandiant's thorough investigation found no evidence suggesting that the cyber threats originated from Snowflake's own environment. Instead, every incident was traced back to compromised customer credentials. 

In this blog post, we’ll dive into the key takeaways from Mandiant’s investigation. We’ll also share some actionable insight to bolster your data security – because staying alert and proactive is your best defense in safeguarding your organization’s data integrity.  

Key Findings 

Credential Compromise

The attacks primarily involved the use of stolen customer credentials, leading to unauthorized access and data theft. 

Threat Hunting Guidance

Mandiant provided comprehensive threat hunting queries to detect abnormal and malicious activities, which are crucial for identifying potential incidents. 

Common Attack Patterns

  • Roles and Permissions Changes: Attackers frequently used the SHOW GRANT command to enumerate resources and adjust permissions, enabling broader access. 
  • Abnormal Database Access: Unusual spikes in access to databases, schemas, views, and tables were noted, indicating potential reconnaissance or data exfiltration activities. 
  • User and Query Analysis: Identifying patterns in user creation, deletion, and query frequencies helped in detecting anomalous behaviors. 
  • Error Rate Analysis: High error rates in query executions often indicated brute force attempts or misconfigured accounts used by attackers. 
  • High Resource Consumption: Large volumes of data queries and compression activities were linked to data staging and exfiltration efforts. 

4 Critical Recommendations to Enhance Snowflake Security 

Given these findings, it's imperative forSnowflake users to bolster their security measures. Here are some critical steps: 

  • Implement Multi-Factor Authentication (MFA): Ensure MFA is enabled for all user accounts to prevent unauthorized access even if credentials are compromised. 
  • Regular IAM Reviews: Conduct frequent reviews of roles and permissions to detect and mitigate any unauthorized changes. 
  • Enhanced Monitoring: Use advanced monitoring tools such as database activity monitoring (DAM) to track abnormal access patterns, high error rates, and unusual resource consumption. 
  • Threat Hunting Practices: Regularly perform threat hunting exercises using the guidance provided by Mandiant to stay ahead of potential issues. 

Ask Yourself these Questions  

As you reflect on the recent incidents, it’s crucial to reflect on the broader implications to your organization’s security. To ensure you are well-prepared and resilient against emerging threats, consider the following questions: 

1. Are your current security measures sufficient to detect and prevent unauthorized access, especially from compromised credentials? 

2. How often do you review and update your access controls and permissions? Is this easy to do for your business? 

3. Do you have robust monitoring in place to detect unusual activities and high error rates in real-time? 

4. What proactive threat detection strategies are you employing to identify potential issues before they cause significant damage? 

 By addressing these questions and strengthening your security posture, you can better protect your Snowflake environment from similar threats. If you're looking to enhance your data security capabilities or you are not confident in your answers to the above questions, consider investing in advanced data security software purpose-built for Snowflake. ALTR’s solutions offer comprehensive protection, continuous monitoring, and proactive threat detection to safeguard your valuable data assets. 

Would you like to explore how our data security solutions can help you secure your Snowflake environment? Contact ALTR today to learn more and schedule a demo. 

Snowflake
James Beecham
James Beecham

Related Resources

ALTR Blog

The CISO's Dilemma: Securing Snowflake's ACCOUNTADMIN Role

ALTR Blog

ALTR Expands GTM Team with Powerhouse Hires to Lead the Charge in Data Security

Case Studies

Zelis Leverages ALTR to Balance Data Democratization with Stringent Compliance Requirements

ALTR Blog

Unleashing the Power of FPE: ALTR Key Sharing Meets Snowflake Data Sharing

Automated Data Access Governance and Security

Resources

Copyright © 2022 ALTR Solutions, Inc.,
Privacy Policy
|
Terms of Service
|
SLA
|
Patent Marking

industry

Energy

PLATFORM

Snowflake

use case

Tokenization

Mandiant Threat Hunting Guide for Snowflake: ALTR Summary

Recently, a significant data exfiltration event targeting Snowflake customer databases came to light, orchestrated by a financially motivated threat actor group, UNC5537. This group successfully compromised numerous Snowflake customer instances, resulting in data theft and extortion attempts. It's important to note that Mandiant's thorough investigation found no evidence suggesting that the cyber threats originated from Snowflake's own environment. Instead, every incident was traced back to compromised customer credentials. 

In this blog post, we’ll dive into the key takeaways from Mandiant’s investigation. We’ll also share some actionable insight to bolster your data security – because staying alert and proactive is your best defense in safeguarding your organization’s data integrity.  

Key Findings 

Credential Compromise

The attacks primarily involved the use of stolen customer credentials, leading to unauthorized access and data theft. 

Threat Hunting Guidance

Mandiant provided comprehensive threat hunting queries to detect abnormal and malicious activities, which are crucial for identifying potential incidents. 

Common Attack Patterns

  • Roles and Permissions Changes: Attackers frequently used the SHOW GRANT command to enumerate resources and adjust permissions, enabling broader access. 
  • Abnormal Database Access: Unusual spikes in access to databases, schemas, views, and tables were noted, indicating potential reconnaissance or data exfiltration activities. 
  • User and Query Analysis: Identifying patterns in user creation, deletion, and query frequencies helped in detecting anomalous behaviors. 
  • Error Rate Analysis: High error rates in query executions often indicated brute force attempts or misconfigured accounts used by attackers. 
  • High Resource Consumption: Large volumes of data queries and compression activities were linked to data staging and exfiltration efforts. 

4 Critical Recommendations to Enhance Snowflake Security 

Given these findings, it's imperative forSnowflake users to bolster their security measures. Here are some critical steps: 

  • Implement Multi-Factor Authentication (MFA): Ensure MFA is enabled for all user accounts to prevent unauthorized access even if credentials are compromised. 
  • Regular IAM Reviews: Conduct frequent reviews of roles and permissions to detect and mitigate any unauthorized changes. 
  • Enhanced Monitoring: Use advanced monitoring tools such as database activity monitoring (DAM) to track abnormal access patterns, high error rates, and unusual resource consumption. 
  • Threat Hunting Practices: Regularly perform threat hunting exercises using the guidance provided by Mandiant to stay ahead of potential issues. 

Ask Yourself these Questions  

As you reflect on the recent incidents, it’s crucial to reflect on the broader implications to your organization’s security. To ensure you are well-prepared and resilient against emerging threats, consider the following questions: 

1. Are your current security measures sufficient to detect and prevent unauthorized access, especially from compromised credentials? 

2. How often do you review and update your access controls and permissions? Is this easy to do for your business? 

3. Do you have robust monitoring in place to detect unusual activities and high error rates in real-time? 

4. What proactive threat detection strategies are you employing to identify potential issues before they cause significant damage? 

 By addressing these questions and strengthening your security posture, you can better protect your Snowflake environment from similar threats. If you're looking to enhance your data security capabilities or you are not confident in your answers to the above questions, consider investing in advanced data security software purpose-built for Snowflake. ALTR’s solutions offer comprehensive protection, continuous monitoring, and proactive threat detection to safeguard your valuable data assets. 

Would you like to explore how our data security solutions can help you secure your Snowflake environment? Contact ALTR today to learn more and schedule a demo. 

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

CASE STUDIES

Providing real solutions

View All
CLASSIFICATION
Zelis Leverages ALTR to Balance Data Democratization with Stringent Compliance Requirements
CLASSIFICATION
ALTR Helps Financial Institutions Pioneer New Era of Data Governance with Ease
CLASSIFICATION
Health and Well-Being Technology Redefines Data Governance at Scale with ALTR
CLASSIFICATION
ALTR Helps Fortune 10 Corporation Meet Stringent Compliance Requirements in Just Weeks
CLASSIFICATION
ALTR Helps Global Logistics Leader Scale Data Governance and Maximize Snowflake Data Cloud Investment
CLASSIFICATION
Tax and Compliance Software Vendor Bolsters Security and Simplifies Data Complexity with ALTR
CLASSIFICATION
Multinational Retailer Relies on ALTR to Secure Customer PII
CLASSIFICATION
TDECU Takes a Data-Driven Approach to Supporting Its Members’ Financial Journeys
CLASSIFICATION
Security Becomes a Business Enabler at this Leading Mortgage Firm
CLASSIFICATION
Redwood Logistics Accelerates Data-Driven Insight with ALTR and Aptitive
CLASSIFICATION
HumanN Utilizes Data Consumption Intelligence to Better Govern Customer Data
CLASSIFICATION
How ALTR helped Q2’s Biller Direct offering become Level 1 PCI DSS certified in 30 days
CLASSIFICATION
Exposure of Private Data
Ready to get started?
We’re here to help. Our team can show you how to use ALTR and make recommendations based on your company’s needs.
Get Product Tour
Back to Blog

Mandiant Threat Hunting Guide for Snowflake: ALTR Summary

PUBLISHED: Jun 26, 2024

Discover key insights from Mandiant’s investigation and actionable tips to enhance your data security.

James Beecham
Founder & CEO

Recently, a significant data exfiltration event targeting Snowflake customer databases came to light, orchestrated by a financially motivated threat actor group, UNC5537. This group successfully compromised numerous Snowflake customer instances, resulting in data theft and extortion attempts. It's important to note that Mandiant's thorough investigation found no evidence suggesting that the cyber threats originated from Snowflake's own environment. Instead, every incident was traced back to compromised customer credentials. 

In this blog post, we’ll dive into the key takeaways from Mandiant’s investigation. We’ll also share some actionable insight to bolster your data security – because staying alert and proactive is your best defense in safeguarding your organization’s data integrity.  

Key Findings 

Credential Compromise

The attacks primarily involved the use of stolen customer credentials, leading to unauthorized access and data theft. 

Threat Hunting Guidance

Mandiant provided comprehensive threat hunting queries to detect abnormal and malicious activities, which are crucial for identifying potential incidents. 

Common Attack Patterns

  • Roles and Permissions Changes: Attackers frequently used the SHOW GRANT command to enumerate resources and adjust permissions, enabling broader access. 
  • Abnormal Database Access: Unusual spikes in access to databases, schemas, views, and tables were noted, indicating potential reconnaissance or data exfiltration activities. 
  • User and Query Analysis: Identifying patterns in user creation, deletion, and query frequencies helped in detecting anomalous behaviors. 
  • Error Rate Analysis: High error rates in query executions often indicated brute force attempts or misconfigured accounts used by attackers. 
  • High Resource Consumption: Large volumes of data queries and compression activities were linked to data staging and exfiltration efforts. 

4 Critical Recommendations to Enhance Snowflake Security 

Given these findings, it's imperative forSnowflake users to bolster their security measures. Here are some critical steps: 

  • Implement Multi-Factor Authentication (MFA): Ensure MFA is enabled for all user accounts to prevent unauthorized access even if credentials are compromised. 
  • Regular IAM Reviews: Conduct frequent reviews of roles and permissions to detect and mitigate any unauthorized changes. 
  • Enhanced Monitoring: Use advanced monitoring tools such as database activity monitoring (DAM) to track abnormal access patterns, high error rates, and unusual resource consumption. 
  • Threat Hunting Practices: Regularly perform threat hunting exercises using the guidance provided by Mandiant to stay ahead of potential issues. 

Ask Yourself these Questions  

As you reflect on the recent incidents, it’s crucial to reflect on the broader implications to your organization’s security. To ensure you are well-prepared and resilient against emerging threats, consider the following questions: 

1. Are your current security measures sufficient to detect and prevent unauthorized access, especially from compromised credentials? 

2. How often do you review and update your access controls and permissions? Is this easy to do for your business? 

3. Do you have robust monitoring in place to detect unusual activities and high error rates in real-time? 

4. What proactive threat detection strategies are you employing to identify potential issues before they cause significant damage? 

 By addressing these questions and strengthening your security posture, you can better protect your Snowflake environment from similar threats. If you're looking to enhance your data security capabilities or you are not confident in your answers to the above questions, consider investing in advanced data security software purpose-built for Snowflake. ALTR’s solutions offer comprehensive protection, continuous monitoring, and proactive threat detection to safeguard your valuable data assets. 

Would you like to explore how our data security solutions can help you secure your Snowflake environment? Contact ALTR today to learn more and schedule a demo. 

Ready to get started?
We’re here to help. Our team can show you how to use ALTR and make recommendations based on your company’s needs.
Get Product Tour
ALTR Blog