Mandiant Threat Hunting Guide

Mandiant Threat Hunting Guide for Snowflake: ALTR Summary

Mandiant Threat Hunting Guide for Snowflake: ALTR Summary

Watch the Webinar

Get started for Free
Learn More

Recently, a significant data exfiltration event targeting Snowflake customer databases came to light, orchestrated by a financially motivated threat actor group, UNC5537. This group successfully compromised numerous Snowflake customer instances, resulting in data theft and extortion attempts. It's important to note that Mandiant's thorough investigation found no evidence suggesting that the cyber threats originated from Snowflake's own environment. Instead, every incident was traced back to compromised customer credentials. 

 

In this blog post, we’ll dive into the key takeaways from Mandiant’s investigation. We’ll also share some actionable insight to bolster your data security – because staying alert and proactive is your best defense in safeguarding your organization’s data integrity.  

 

Key Findings 

Credential Compromise

The attacks primarily involved the use of stolen customer credentials, leading to unauthorized access and data theft. 

Threat Hunting Guidance

Mandiant provided comprehensive threat hunting queries to detect abnormal and malicious activities, which are crucial for identifying potential incidents. 

Common Attack Patterns

Roles and Permissions Changes: Attackers frequently used the SHOW GRANT command to enumerate resources and adjust permissions, enabling broader access. 

Abnormal Database Access: Unusual spikes in access to databases, schemas, views, and tables were noted, indicating potential reconnaissance or data exfiltration activities. 

User and Query Analysis: Identifying patterns in user creation, deletion, and query frequencies helped in detecting anomalous behaviors. 

Error Rate Analysis: High error rates in query executions often indicated brute force attempts or misconfigured accounts used by attackers. 

High Resource Consumption: Large volumes of data queries and compression activities were linked to data staging and exfiltration efforts. 

 

4 Critical Recommendations to Enhance Snowflake Security 

Given these findings, it's imperative forSnowflake users to bolster their security measures. Here are some critical steps: 

Implement Multi-Factor Authentication (MFA): Ensure MFA is enabled for all user accounts to prevent unauthorized access even if credentials are compromised. 

Regular IAM Reviews: Conduct frequent reviews of roles and permissions to detect and mitigate any unauthorized changes. 

Enhanced Monitoring: Use advanced monitoring tools such as database activity monitoring (DAM) to track abnormal access patterns, high error rates, and unusual resource consumption. 

Threat Hunting Practices: Regularly perform threat hunting exercises using the guidance provided by Mandiant to stay ahead of potential issues. 

 

Ask Yourself these Questions  

As you reflect on the recent incidents, it’s crucial to reflect on the broader implications to your organization’s security. To ensure you are well-prepared and resilient against emerging threats, consider the following questions: 

1. Are your current security measures sufficient to detect and prevent unauthorized access, especially from compromised credentials? 

2. How often do you review and update your access controls and permissions? Is this easy to do for your business? 

3. Do you have robust monitoring in place to detect unusual activities and high error rates in real-time? 

4. What proactive threat detection strategies are you employing to identify potential issues before they cause significant damage? 

 

By addressing these questions and strengthening your security posture, you can better protect your Snowflake environment from similar threats. If you're looking to enhance your data security capabilities or you are not confident in your answers to the above questions, consider investing in advanced data security software purpose-built for Snowflake. ALTR’s solutions offer comprehensive protection, continuous monitoring, and proactive threat detection to safeguard your valuable data assets. 

Would you like to explore how our data security solutions can help you secure your Snowflake environment? Contact ALTR today to learn more and schedule a demo. 

industry

Energy

PLATFORM

Snowflake

use case

Tokenization

Mandiant Threat Hunting Guide for Snowflake: ALTR Summary

Recently, a significant data exfiltration event targeting Snowflake customer databases came to light, orchestrated by a financially motivated threat actor group, UNC5537. This group successfully compromised numerous Snowflake customer instances, resulting in data theft and extortion attempts. It's important to note that Mandiant's thorough investigation found no evidence suggesting that the cyber threats originated from Snowflake's own environment. Instead, every incident was traced back to compromised customer credentials. 

 

In this blog post, we’ll dive into the key takeaways from Mandiant’s investigation. We’ll also share some actionable insight to bolster your data security – because staying alert and proactive is your best defense in safeguarding your organization’s data integrity.  

 

Key Findings 

Credential Compromise

The attacks primarily involved the use of stolen customer credentials, leading to unauthorized access and data theft. 

Threat Hunting Guidance

Mandiant provided comprehensive threat hunting queries to detect abnormal and malicious activities, which are crucial for identifying potential incidents. 

Common Attack Patterns

Roles and Permissions Changes: Attackers frequently used the SHOW GRANT command to enumerate resources and adjust permissions, enabling broader access. 

Abnormal Database Access: Unusual spikes in access to databases, schemas, views, and tables were noted, indicating potential reconnaissance or data exfiltration activities. 

User and Query Analysis: Identifying patterns in user creation, deletion, and query frequencies helped in detecting anomalous behaviors. 

Error Rate Analysis: High error rates in query executions often indicated brute force attempts or misconfigured accounts used by attackers. 

High Resource Consumption: Large volumes of data queries and compression activities were linked to data staging and exfiltration efforts. 

 

4 Critical Recommendations to Enhance Snowflake Security 

Given these findings, it's imperative forSnowflake users to bolster their security measures. Here are some critical steps: 

Implement Multi-Factor Authentication (MFA): Ensure MFA is enabled for all user accounts to prevent unauthorized access even if credentials are compromised. 

Regular IAM Reviews: Conduct frequent reviews of roles and permissions to detect and mitigate any unauthorized changes. 

Enhanced Monitoring: Use advanced monitoring tools such as database activity monitoring (DAM) to track abnormal access patterns, high error rates, and unusual resource consumption. 

Threat Hunting Practices: Regularly perform threat hunting exercises using the guidance provided by Mandiant to stay ahead of potential issues. 

 

Ask Yourself these Questions  

As you reflect on the recent incidents, it’s crucial to reflect on the broader implications to your organization’s security. To ensure you are well-prepared and resilient against emerging threats, consider the following questions: 

1. Are your current security measures sufficient to detect and prevent unauthorized access, especially from compromised credentials? 

2. How often do you review and update your access controls and permissions? Is this easy to do for your business? 

3. Do you have robust monitoring in place to detect unusual activities and high error rates in real-time? 

4. What proactive threat detection strategies are you employing to identify potential issues before they cause significant damage? 

 

By addressing these questions and strengthening your security posture, you can better protect your Snowflake environment from similar threats. If you're looking to enhance your data security capabilities or you are not confident in your answers to the above questions, consider investing in advanced data security software purpose-built for Snowflake. ALTR’s solutions offer comprehensive protection, continuous monitoring, and proactive threat detection to safeguard your valuable data assets. 

Would you like to explore how our data security solutions can help you secure your Snowflake environment? Contact ALTR today to learn more and schedule a demo. 

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

CASE STUDIES

Providing real solutions

Ready to get started?
We’re here to help. Our team can show you how to use ALTR and make recommendations based on your company’s needs.
Get Product Tour

Mandiant Threat Hunting Guide for Snowflake: ALTR Summary

PUBLISHED: Jun 26, 2024

Discover key insights from Mandiant’s investigation and actionable tips to enhance your data security.

James Beecham
Founder & CEO

Recently, a significant data exfiltration event targeting Snowflake customer databases came to light, orchestrated by a financially motivated threat actor group, UNC5537. This group successfully compromised numerous Snowflake customer instances, resulting in data theft and extortion attempts. It's important to note that Mandiant's thorough investigation found no evidence suggesting that the cyber threats originated from Snowflake's own environment. Instead, every incident was traced back to compromised customer credentials. 

 

In this blog post, we’ll dive into the key takeaways from Mandiant’s investigation. We’ll also share some actionable insight to bolster your data security – because staying alert and proactive is your best defense in safeguarding your organization’s data integrity.  

 

Key Findings 

Credential Compromise

The attacks primarily involved the use of stolen customer credentials, leading to unauthorized access and data theft. 

Threat Hunting Guidance

Mandiant provided comprehensive threat hunting queries to detect abnormal and malicious activities, which are crucial for identifying potential incidents. 

Common Attack Patterns

Roles and Permissions Changes: Attackers frequently used the SHOW GRANT command to enumerate resources and adjust permissions, enabling broader access. 

Abnormal Database Access: Unusual spikes in access to databases, schemas, views, and tables were noted, indicating potential reconnaissance or data exfiltration activities. 

User and Query Analysis: Identifying patterns in user creation, deletion, and query frequencies helped in detecting anomalous behaviors. 

Error Rate Analysis: High error rates in query executions often indicated brute force attempts or misconfigured accounts used by attackers. 

High Resource Consumption: Large volumes of data queries and compression activities were linked to data staging and exfiltration efforts. 

 

4 Critical Recommendations to Enhance Snowflake Security 

Given these findings, it's imperative forSnowflake users to bolster their security measures. Here are some critical steps: 

Implement Multi-Factor Authentication (MFA): Ensure MFA is enabled for all user accounts to prevent unauthorized access even if credentials are compromised. 

Regular IAM Reviews: Conduct frequent reviews of roles and permissions to detect and mitigate any unauthorized changes. 

Enhanced Monitoring: Use advanced monitoring tools such as database activity monitoring (DAM) to track abnormal access patterns, high error rates, and unusual resource consumption. 

Threat Hunting Practices: Regularly perform threat hunting exercises using the guidance provided by Mandiant to stay ahead of potential issues. 

 

Ask Yourself these Questions  

As you reflect on the recent incidents, it’s crucial to reflect on the broader implications to your organization’s security. To ensure you are well-prepared and resilient against emerging threats, consider the following questions: 

1. Are your current security measures sufficient to detect and prevent unauthorized access, especially from compromised credentials? 

2. How often do you review and update your access controls and permissions? Is this easy to do for your business? 

3. Do you have robust monitoring in place to detect unusual activities and high error rates in real-time? 

4. What proactive threat detection strategies are you employing to identify potential issues before they cause significant damage? 

 

By addressing these questions and strengthening your security posture, you can better protect your Snowflake environment from similar threats. If you're looking to enhance your data security capabilities or you are not confident in your answers to the above questions, consider investing in advanced data security software purpose-built for Snowflake. ALTR’s solutions offer comprehensive protection, continuous monitoring, and proactive threat detection to safeguard your valuable data assets. 

Would you like to explore how our data security solutions can help you secure your Snowflake environment? Contact ALTR today to learn more and schedule a demo. 

Ready to get started?
We’re here to help. Our team can show you how to use ALTR and make recommendations based on your company’s needs.
Get Product Tour
ALTR Blog