Cloud Security | 4 min read

From a Snowflake to a Snowball: How to Detect and Stop Impersonation Attacks

Written by Sarah Elkaim, Product Marketing Manager
June 6, 2024

Snowflake, the data cloud company, was reported last week for an account hacks campaign that resulted in a data leak for customers Santander Bank and Ticketmaster, from what we currently know. 

Allegedly, a threat actor gained access to Snowflake’s database through an employee’s work account, thereby impersonating him and bypassing Snowflake’s secure authentication protocol to directly access the Snowflake database. The attacker then generated authentication tokens to access and download sensitive data belonging to numerous customers.

Snowflake’s claim is that the incident was in no part due to “a vulnerability, misconfiguration, or breach of Snowflake’s product”. Rather, the leak was caused by a theft of login credentials from customers who did not have two-factor authentication enabled. 

Credentials Theft Login Snowflake

Regardless of cause, this impersonation attack serves as a stark reminder of the potential vulnerabilities inherent in managed services. Managed services are compromisable, and no matter how much prevention measures are set in place, impersonation attacks can and will take place. 

While the mentioned attack occurred via an endpoint, other avenues, such as vulnerabilities in the SaaS ID provider or in the compute layer, pose similar risks. 

From a Snowflake to a Snowball: Further Escalations of an Accessed Managed Service

While the intrusion was contained within Snowflake’s environment, this type of impersonation attack, from what we’ve typically seen at Sweet, poses extremely dangerous consequences.

Credential theft combined with lateral movement can lead to further breaches, as seen with successful credential stuffing attacks or in the example of Okta’s customer support system breach.  

The diagram below showcases how an attacker can easily impersonate an employee via credential theft from the SaaS ID provider and move laterally within the environment using authorized tokens.   

Credential theft with lateral movement

Example 1 – Credential theft with lateral movement 

Additionally, vulnerabilities in the compute layer can be exploited to obtain unauthorized access through impersonation, with the managed service itself becoming the target. 

In the example below, the attacker gains initial access via a vulnerability found in Service A within the compute layer and discovers the credentials needed to access a managed storage. He then moves laterally to Service B and generates an authorized token, Key 1, to access the storage. 

Vulnerability exploitation and credential theft

Example 2 – Vulnerability exploitation and credential theft

Why Impersonation Attacks are so Risky for Cloud Environments

Impersonation attacks pose significant risks for cloud security due to their ability to appear legitimate. Once inside the system, threat actors can move laterally, accessing critical assets or even shutting down systems for ransom. Detecting such attacks is complex as they adhere to established policies, making them difficult to distinguish from normal activities. Traditional security tools often fail to detect these anomalies, focusing on policy adherence rather than behavioral deviations.

The crux of the issue lies in the challenge of identifying abnormal but seemingly legitimate activities within the cloud environment.

What can you Do to Detect Impersonation Attacks

Behavioral analysis provides insights into dynamic workload activities, enabling the detection of anomalous behaviors indicative of impersonation attempts. Therefore, in order to effectively detect an impersonation, a behavioral analysis approach must be adopted. 

This involves establishing a baseline of normal activities within the cloud environment and monitoring for deviations. For example, using a valid access key from an unauthorized location would trigger an alert based on behavioral analysis, but it would not raise an alert in traditional security tooling because the credentials used were legitimate. 

Looking back to our example 2 from above, we can see that Key 1 (a legitimate token) was used to access the managed storage. However, according to behavioral analysis, only Service A directly communicates with the managed storage using Key 1 as the token. In the diagram, however, we see the attacker moved laterally to the managed storage via Service B. Because this flow deviates from the norm, behavioral analysis measures would be able to catch this and identify it as an anomaly caused by a non-human identity.

NHI Anomaly

Sweet’s Behavioral Baseline in Action

Sweet Security offers a solution to combat impersonation attacks through its innovative, runtime-based behavioral baseline approach (also called application profiling). This runtime behavioral baseline is a proprietary understanding of the behavioral activity of the dynamic workloads actively running on the cloud. Whether it’s an unusual access key or an atypical identity provider, our system flags these anomalies in real-time, alerting SOC teams of the potential threats before they escalate.

By utilizing a patent-pending, eBPF-based sensor, Sweet conducts deep application profiling across various cloud services to establish a baseline of normal behaviors. Any deviations from this baseline are flagged in real-time. Sweet also provides comprehensive attack stories, damage assessments, and remediation recommendations, ensuring swift action against threats.

To learn more about Sweet’s prevention, detection, and response capabilities, schedule a demo with us. 


Popular Posts

Cloud Security

From a Snowflake to a Snowball: How to Detect and Stop Impersonation Attacks

Migrating to the cloud is a lot more than just "lift and shift". It requires cross-organizational adaptation, and a comprehensive view - from left to right.

Sarah Elkaim | 4 min read
Read More