Guides

Comprehensive Guide to Threat Detection and Monitoring in Snowflake

Learn how to safeguard your Snowflake environment from potential threats with detailed queries, insights, and best practices. Enhance your threat detection capabilities and protect your data with advanced tools and real-time monitoring solutions from ThreatKey.
8 min read
August 9, 2024
Share on social media

THREAT DETECTION

Complete Guide to Threat Detection and Monitoring in Snowflake

ThreatKey Security Research Team

Snowflake is a leading cloud-based data platform designed for handling vast amounts of data, offering fully managed services across AWS, Microsoft Azure, and Google Cloud. Given the recent increase in threats targeting Snowflake environments, we have developed an in-depth guide for threat hunting. This document provides detailed queries and insights to help you scrutinize your Snowflake instances and set up effective threat detections.

Understanding the Threat Landscape

Attackers gaining access to Snowflake credentials can exfiltrate sensitive data stored within the platform. To detect initial access attempts and other malicious behaviors, monitoring specific Snowflake logs is crucial.

Each query section will detail the purpose of the query, the query itself, and guidance on interpreting the results.

Queries for Detecting Malicious Activities in Snowflake Environments

Unauthorized Access Detection

These queries focus on identifying activities that may indicate an attacker has gained unauthorized access to your Snowflake environment.

Successful Logins with GeoIP Analysis (T1078 - Valid Accounts)

Logins to the Snowflake UI and CLI should originate from expected user accounts and IP addresses.

What to look for in the results: Monitor successful password logins to the Snowflake UI and CLI to ensure they match expected patterns. Cross-reference logins with GeoIP data to identify any logins from known proxy or VPN services not approved by the company.

Unusual External Access (T1199 - Trusted Relationship)

Examine entries of external access performed by procedures or user-defined functions (UDF) handler code within the last year.

What to look for in the results: Look for unusual source and target cloud destinations. Cross-reference any query ID in external access logs with the Query History view to determine if the query includes sensitive information.

Logins from Known Malicious IP Addresses (T1078 - Valid Accounts)

Check login history for attempts from known malicious IP addresses.

What to look for in the results: Investigate logins from known bad IP addresses. Any hits should trigger a deeper investigation into logs containing those specific IP addresses.

Anomalous Client Application Usage (T1199 - Trusted Relationship)

Review all client applications in the Sessions view for unusual usage.

What to look for in the results: Investigate any unapproved or unrecognized client applications and the associated OS. An attacker may have set up a session from an outside tool to access and exfiltrate data.

Evasion of Detection Mechanisms

Identify activities that indicate an attacker is attempting to bypass established security measures.

Network Policy Modifications (T1484 - Domain or Tenant Policy Modification)

Review changes to network policies, which could allow unauthorized traffic.

What to look for in the results: Investigate any changes to network policies without internal documentation for change management. Coupled with suspicious logins, this could indicate a compromise.

Persistence Mechanisms

Detect activities that suggest an attacker has gained persistent access to your Snowflake environment.

Unauthorized Admin-level Access (T1098 - Account Manipulation)

Monitor for unauthorized grants of admin-level access.

What to look for in the results: Review logs indicating a user has been granted an administrator role. Investigate any grants of administrator access outside of expected users.

Credential Access

Identify potential access of Snowflake credentials by an attacker.

OAuth Token Usage (T1528 - Steal Application Access Token)

Review OAuth access token usage to ensure it aligns with expected behavior.

What to look for in the results: Look for evidence of OAuth access token use from unexpected IP addresses or clients.

Brute-force Attack Detection (T1110 - Brute Force)

Identify signs of brute-force attacks.

What to look for in the results: Look for several failed attempts followed by a successful login. Investigate the associated IP address to ensure it aligns with expected behavior.

Data Collection

Detect potential data collection by an attacker.

Unusual Data Query Volumes (T1530 - Data from Cloud Storage)

Look for users querying large amounts of data.

What to look for in the results: Review large numbers of rows produced from a data query, benchmarking against a baseline specific to your environment. Large numbers of rows produced can indicate data collection prior to exfiltration.

Data Exfiltration

Identify activities suggesting data exfiltration from your environment.

External COPY Query Usage (T1567 - Exfiltration Over Web Service)

Detect use of the COPY INTO feature to move data to an external location.

What to look for in the results: Validate that all URLs are expected and resolve to company-owned resources. Investigate unknown URLs in query results as potential signs of data exfiltration.

Data Export to External Cloud Storage (T1567 - Exfiltration Over Web Service)

Review data export activities to cloud storage services.

What to look for in the results: Investigate any unknown external stage URLs as potential indicators of data exfiltration.

How ThreatKey's Platform Can Assist

ThreatKey's platform offers advanced tools and integrations to enhance your threat detection capabilities in Snowflake environments. Our solutions provide real-time monitoring, automated threat detection, and comprehensive analysis to help you stay ahead of potential threats.

Best Practices for Securing Snowflake Environments

To minimize security risks, implement the following best practices:

  • Secure User Accounts: Enforce strong authentication methods like single sign-on (SSO) and multi-factor authentication (MFA).
  • Control Service Account Access: Utilize secure methods such as OAuth 2.0 or key pairs for service account management.
  • Implement Robust Threat Detection: Ensure robust threat detection mechanisms are in place to identify potential attacker behaviors.
  • Develop an Incident Response Plan: Create a clear incident response playbook tailored to Snowflake environments to ensure swift and coordinated responses to security incidents.

By following these guidelines and utilizing ThreatKey's platform, you can enhance the security of your Snowflake environment and protect your valuable data from emerging threats.

Most popular
News
AWS Cloud Extortion Campaign: A Wake-Up Call for Robust Cloud Security
Aug 23, 2024
  
5 min read
News
Massive Data Breach Alert: Safeguarding Your Identity in the Wake of the National Public Data Hack
Aug 15, 2024
  
7 min read
News
ThreatKey Unveils Innovative Pricing Model for SSPM & CSPM Platform, Making Advanced Cloud Security Accessible to SMBs
Aug 9, 2024
  
5 min read
Subscribe to know first

Receive monthly news and insights in your inbox. Don't miss out!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Elevate Your Security Posture in 15 Minutes
INDUSTRIES
SaaS and SoftwareHealthcare ProvidersManufacturing Finance and MarketsLegal Services
PLATFORM
Product FeaturesSolutionsUse CasesPricingGet Started
COMPANY
About UsCareersContact UsCase StudiesHelp Center
RESOURCES
SupportBlogCookie PolicyPrivacy PolicyTerms of Use
© ThreatKey, Inc. All Rights Reserved.
Powered by ThreatKeyThreatKey SupportThreatKey Status