STRIFEBOT: Attacking and Defending Snowflake Data-lakes
Data warehouses and data lakes have become the latest in a series of software categories designed to ingest, mangle, and make sense of the vast amounts of data produced by your average enterprise. Snowflake is currently one of the leading commercial solutions in this space, a SaaS (software-as-a-service) data platform used by many of the Fortune 500 with an annual revenue in the billions of dollars. Many organisations pour vast amounts of sensitive data into these systems, turning them into a crown jewel in the eyes of many attackers.
This talk will present the results of research and development work done into both attacking and defending large, production Snowflake deployments across a number of different organisations. A range of TTPs will be presented, demonstrating various ways an attacker could move to compromise a Snowflake instance. This will be accompanied by mitigations and detection strategies, enabling defenders to better harden and monitor their Snowflake usage. Finally, a new open-source tool will be released, enabling defenders to easily simulate the discussed TTPs against their Snowflake instances in order to generate telemetry and validate their detections.
What attendees will take away:
- The most likely TTPs to be executed against Snowflake, and how offensive and defensive experts can design security exercises
- The relevant security controls to harden or detect, where possible, against the discussed TTPs
- The telemetry and log sources available for detection engineering and monitoring Snowflake