After major cyber attacks or data breaches, cybersecurity companies and professionals universally face the question, "How would you have detected or prevented this type of attack?" This week, the question is related to the Snowflake data breach.
Security analysts at Mandiant have reported a significant data breach affecting hundreds of Snowflake cloud storage customers. Snowflake is a cloud-based data platform that provides a single place for data storage, processing, and analytics. It is available on public clouds like Amazon Web Services (AWS), Google Cloud, and Microsoft Azure, making it considered cloud-agnostic.
The primary issue in this case appears to have been a lack of proper security controls on the victim Snowflake instances (no MFA, open network ACL, no requirement to change passwords), which enabled the use of previously compromised credentials. While technically fixable, this is another high-profile incident affected by fundamental security issues.
The incident underscores the critical importance of leveraging proactive threat intelligence to detect novel and evolving cyber threats before they can launch campaigns using vulnerabilities like missing Multi-Factor Authentication (MFA).
Infostealers are a type of malware designed to infiltrate systems and steal sensitive information such as login credentials, financial data, and other personal information. These tools are often deployed via phishing emails or malicious websites and can evade traditional security measures.
According to Mandiant's analysis, infostealer activity related to this breach dates back to 2020. The threat actors accessed credentials from various infostealer campaigns, successfully infecting systems, executing their malware, and exfiltrating data for multiple victims. They bypassed traditional defenses such as firewalls, intrusion detection systems (IDS), and endpoint protections, transmitting stolen data to Command and Control (C2) servers. This highlights the importance of network-based detections and proactive threat intelligence, which can effectively detect such activities and add an essential layer of security to the overall cyber ecosystem.
Malware typically requires external communication to a Command and Control (C2) server to receive additional instructions, maintain persistence, exfiltrate data, etc. Knowing the adversary C2 servers provides critical information applicable to a majority of cyber attacks.
IronRadar is designed to proactively detect and neutralize such threats by identifying and monitoring C2 servers. IronRadar currently tracks 19 information stealer frameworks, and since the beginning of this year, over 700 infostealer indicators have been distributed to our customers across the Collective Defense community. This proactive approach ensures that threats are identified and mitigated before they can cause significant harm.
Reflecting on these types of attacks, blog posts and technical debriefs often contain indicators of compromise (IoCs) which are quickly implemented across the industry. While helpful, this is a reactionary response and requires one or more victims to educate the industry. Collective Defense and Proactive Threat Intelligence are increasingly valuable in bridging the gaps of a community that gets its information post-compromise (days to months depending on the victim organization and disclosure requirements).
To answer the question, how would IronNet detect and respond to the Snowflake data breach?
Attackers are always a step ahead. They know what technology and detections are commercially available and focus their efforts on evading them. Through our Collective Defense community and Proactive Threat Intelligence, we are enabling our customers to bridge that gap. The bigger we grow, the more power we have. An attack against one is an attack against all.
_________
Contact us to learn more about how IronRadar can improve your organization’s visibility into novel and evolving threats before they’re able to cause damage.