Cybersecurity

YetiHunter queries for signs of Snowflake compromise

Permiso’s scanner helps demystify one of IT’s more perplexing environments.
article cover

Biwa Studio/Getty Images

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

A tool from Permiso Security—YetiHunter—helps users search for abominable signs of compromise in their Snowflake environments. The automatic querying tool aims to protect cloud data accounts, which have come under attack in recent months.

“Snowflake is kind of a mystery to most IT professionals—and even security folks—when it comes down to monitoring what’s going on in those environments,” Ian Ahl, SVP of p0 Labs at Permiso Security, told IT Brew. “So we really want to take all this institutional knowledge we’ve had from responding to a lot of these attacks, and put it in a tool where people can do this easily without having to hop on a phone call or webinar for two hours and shoulder-surf with somebody to make it happen.”

Customers use the multi-cloud warehousing platform Snowflake to store and analyze data.

On June 11, Snowflake revealed cyberattacks against customer accounts along with queries to identify suspicious behavior, like activity from suspected IP addresses, and to boot suspicious users.

Cybersecurity firm Mandiant, on June 10, also identified threats targeting the storage vendor.

Snowflake did not respond to IT Brew’s request for comment.

YetiHunter, an open source tool Permiso introduced on June 13, automatically runs at least 13 queries to look for signs of compromise.

Some examples:

  • Copy_into_select_all: You don’t see “select_all” statements run too often, Ahl told IT Brew, and seeing a “select_all” command may indicate an intruder wants to take hold of all that data. According to Permiso’s post publicizing the tool, attackers often combine “copy_into”and “select_all” in a single query when exporting records to another location. “A lot of our queries are designed around looking for high-output, low-effort commands that we know attackers are doing to take data, stage data, and remove data from your environment,” Ahl said.
  • Show_tables: The command suggests threat actor recon, per the tool intro.
  • Malicious_IPs: The query checks for all malicious IP addresses known to Snowflake and Mandiant.

Queries can be added, removed, or modified, according to Permiso’s YetiHunter announcement.

To run the tool, a user authenticates to the specific Snowflake instance (using multi-factor authentication, if enabled, Ahl said), and the tool executes queries, outputting results to the screen and inputting them in a CSV file.

A display of executed queries. Permiso Security

After executing the queries, suspicious behavior can be investigated—perhaps by internal teams or an external security firm.

“This is all about finding the thread,” Ahl said. “Now, you have to pull the thread.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.