This blog first appeared in Black Kite’s Focus Friday blog series, written by Ferhat Dikbiyik, Black Kite’s Chief Research and Intelligence Officer.
The recent breaches connected to Snowflake’s cloud storage service have sent shockwaves through the cybersecurity community. With compromised credentials leading to unauthorized access and data theft, the ripple effect on supply chains is profound. In this Focus Friday, we explore the third-party risk management (TPRM) implications of these incidents, providing insights on how organizations can safeguard their vendor ecosystems using Black Kite’s FocusTags™.
In late May 2024, a significant security breach at Snowflake was discovered when attackers exploited vulnerabilities via a compromised employee account. This breach led to unauthorized access to sensitive customer data. The attackers utilized info-stealing malware to gain credentials, which allowed them to infiltrate Snowflake’s infrastructure. The breach quickly raised alarms, given the high-profile nature of many of Snowflake’s clients, including Ticketmaster and Santander Bank.
Snowflake’s immediate response involved alerting its customers and recommending the implementation of multi-factor authentication (MFA) and continuous monitoring of account activities. These measures aimed to prevent further unauthorized access and mitigate the damage. Despite these efforts, the attackers managed to extract a vast amount of sensitive data, leading to significant concerns about the potential ripple effects across the supply chain.
HudsonRock, a cybersecurity research firm, released a detailed report on the breach, which was later removed from public access due to its sensitive content. The report indicated that the attackers had accessed credentials from thousands of Snowflake accounts. This revelation underscored the severe risks associated with the breach and the broader implications for Snowflake’s extensive customer base.
The attackers claimed to have accessed data from multiple high-profile clients and demanded a ransom to prevent the sale of the stolen information. The incident highlighted the substantial technological concentration risk posed by Snowflake, as approximately 10,000 companies and organizations rely on its cloud computing and analytical services. The breach’s impact extended beyond direct customers, affecting vendors and partners, emphasizing robust TPRM practices.
Snowflake is a cornerstone for approximately 10,000 companies and organizations, providing essential cloud computing and analytical services. The breach has created a significant technological concentration risk, with the potential to compromise highly sensitive data processed and maintained by Snowflake or accessed via Snowflake credentials. The ripple effect of this incident can extend beyond direct customers to their vendors, partners, and even customers of those vendors.
TPRM professionals need to pay close attention to this incident, even if they do not directly interact with Snowflake. The interconnected nature of modern supply chains means that a breach in one critical provider can cascade through numerous organizations. The compromised credentials and stolen data from this breach could be used to exploit other systems, leading to widespread vulnerabilities and potential data breaches. Therefore, it is crucial for TPRM professionals to assess their vendor ecosystems and identify any indirect connections to Snowflake.
Furthermore, the breach underscores the importance of understanding technological concentration risks. Organizations heavily reliant on a single provider for critical services must recognize the potential impact of such incidents. TPRM professionals should evaluate their exposure to Snowflake and consider diversifying their technological dependencies to mitigate similar risks in the future. This incident serves as a stark reminder of the need for robust third-party risk management strategies to safeguard against the cascading effects of a major security breach.
TPRM professionals should ask their vendors the following specific questions:
To mitigate risks associated with the Snowflake incident, vendors should:
Black Kite determines which vendors are using Snowflake by analyzing subdomains, job postings, and other external sources. This comprehensive approach helps identify Snowflake clients accurately. In response to the recent breach, Black Kite published the Snowflake Client Focus Tag, enabling TPRM professionals to quickly pinpoint at-risk vendors and assess their exposure.
Customers can filter their monitored entities using the Snowflake Client tag, allowing them to focus on the vendors most likely to be affected by the breach. This targeted approach means that instead of sending questionnaires to vendors blindly, Black Kite customers can directly reach out to those at risk, streamlining their efforts and resources.
Black Kite’s new Supply Chain Tool offers an advanced way to uncover risks beyond direct third parties. Customers can search for Snowflake within their supply chain and visualize the concentration risk. The tool enables TPRM professionals to filter their supply chain (including 3rd, 4th, and 5th parties) based on Snowflake usage, and further narrow down the search by adding additional filters such as cyber grade, risk score, and compliance ratings.
Operationalizing this tool involves several steps. First, customers can enter specific parameters related to Snowflake, such as subdomains or job postings, to identify vendors that utilize Snowflake’s services. Once identified, these vendors can be assessed for their exposure to the recent breach. This targeted approach allows TPRM professionals to focus their efforts on the most at-risk entities, enhancing the efficiency of their risk management processes.
Additionally, the Supply Chain Tool’s filtering capabilities provide a comprehensive view of an organization’s extended supply chain. By visualizing the interconnections and potential concentration risks, TPRM professionals can better understand the overall impact of the Snowflake breach. This holistic approach enables proactive risk mitigation, ensuring that vulnerabilities are addressed promptly and effectively.
Black Kite customers can further leverage this tool by integrating it into their regular risk assessment routines. Regularly updating the filters and parameters based on the latest threat intelligence allows for continuous monitoring and early detection of potential risks. This proactive stance not only helps in managing current vulnerabilities but also prepares organizations for future threats, maintaining the integrity and security of their supply chain. For more details, visit Black Kite Supply Chain Module.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
This article has been re-published with the permission of the authors.
Aravo’s partnership and integration with Black Kite’s Cyber Security intelligence solution enables Aravo users to strengthen their cybersecurity defenses by non-invasively quantifying and monitoring cyber risks across their extended enterprises.
With the ability to consume FocusTags™ in Aravo, users can detect which companies are using Snowflake promptly and allow for scaled outreach to address these issues efficiently. In addition, our partnership provides recommended questions to ask your vendors impacted and provides prescriptive remediation actions.
References:
https://thehackernews.com/2024/06/snowflake-warns-targeted-credential.html
https://finance.yahoo.com/news/snowflake-hit-data-breach-whats-141942232.html
https://techcrunch.com/2024/06/05/snowflake-customer-passwords-found-online-infostealing-malware
Share with Your Friends:
