<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Snowflake on Tarragon</title><link>https://tarrragon.github.io/blog/tags/snowflake/</link><description>Recent content in Snowflake on Tarragon</description><generator>Hugo -- gohugo.io</generator><language>zh-TW</language><copyright>Tarragon (CC BY 4.0)</copyright><lastBuildDate>Thu, 30 Apr 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://tarrragon.github.io/blog/tags/snowflake/index.xml" rel="self" type="application/rss+xml"/><item><title>Snowflake 2024:SaaS Credential 重用壓力</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/snowflake-2024-credential-reuse-pressure/</link><pubDate>Thu, 30 Apr 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/snowflake-2024-credential-reuse-pressure/</guid><description>&lt;p>本案例的責任是提供 SaaS data platform credential 壓力素材。Snowflake 2024 事件顯示,當 customer instance 的 credential 透過 infostealer 外流、且 MFA 與 network allow list 未強制時,SaaS 資料平台會成為大規模資料外送入口。&lt;/p>
&lt;h2 id="來源">來源&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>來源&lt;/th>
 &lt;th>可引用範圍&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>&lt;a href="https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion">Mandiant / Google Cloud:UNC5537 targets Snowflake&lt;/a>&lt;/td>
 &lt;td>initial access、infostealer 來源、TTP、IOC&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>&lt;a href="https://www.cybersecuritydive.com/news/100-snowflake-customers-attacked/718454/">Snowflake security advisory(整理見 Cybersecurity Dive)&lt;/a>&lt;/td>
 &lt;td>受影響 customer instance、平台立場、recommended actions&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>&lt;a href="https://www.techtarget.com/searchsecurity/news/366588655/Mandiant-Exposed-credentials-led-to-Snowflake-attacks">TechTarget:Mandiant root cause 摘要&lt;/a>&lt;/td>
 &lt;td>credential reuse、MFA 缺口、credential 長期有效性&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="defender-pressure">Defender Pressure&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>壓力&lt;/th>
 &lt;th>服務判讀&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>Credential hygiene pressure&lt;/td>
 &lt;td>infostealer 外流的舊 credential 仍長期有效&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>MFA enforcement pressure&lt;/td>
 &lt;td>SaaS data platform 需要平台側可強制的 MFA&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Network boundary pressure&lt;/td>
 &lt;td>資料平台需要 IP / VPC allow list 收斂存取來源&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Shared responsibility pressure&lt;/td>
 &lt;td>客戶與供應商需要對齊偵測、通報與佐證義務&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="control-gap">Control Gap&lt;/h2>
&lt;p>控制缺口的核心是 SaaS 資料平台的 credential lifecycle 與 network boundary 屬於客戶責任範圍,但平台缺少強制基線。沒有 MFA、沒有 allow list、credential 長期未輪替,是同類事件重複出現的共通結構。&lt;/p>
&lt;h2 id="detection-route">Detection Route&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>訊號&lt;/th>
 &lt;th>判讀用途&lt;/th>
 &lt;th>下一步&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>資料平台出現非預期 IP 大量查詢&lt;/td>
 &lt;td>判斷 credential 是否被濫用&lt;/td>
 &lt;td>啟動 &lt;a href="https://tarrragon.github.io/blog/backend/knowledge-cards/token-revocation/" data-link-title="Token Revocation" data-link-desc="說明事件中如何撤銷 token，縮短可利用窗口">token revocation&lt;/a> 與 allow list&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>同一 user account 跨多次 infostealer 命中&lt;/td>
 &lt;td>判斷 credential 仍有效期&lt;/td>
 &lt;td>啟動強制輪替與 MFA enforcement&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>客戶通報資料外流早於平台告警&lt;/td>
 &lt;td>判斷 detection coverage gap&lt;/td>
 &lt;td>啟動 platform / customer log 對齊&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="exercise-hook">Exercise Hook&lt;/h2>
&lt;p>本案例可支撐 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/scenarios/low-frequency-exfiltration-tabletop/" data-link-title="Low-frequency Exfiltration Tabletop" data-link-desc="以受管檔案傳輸系統外送風險設計資料範圍與通報 tabletop">Low-frequency exfiltration tabletop&lt;/a> 的 SaaS 資料平台變體。演練重點是確認 credential、MFA、network boundary 與通報流程是否能在共享責任邊界內快速協作。&lt;/p>
&lt;h2 id="write-back-target">Write-back Target&lt;/h2>
&lt;ul>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/data-protection-and-masking-governance/" data-link-title="7.4 資料保護與遮罩治理" data-link-desc="以問題驅動方式整理資料分級、遮罩、匯出與備份治理">7.4 資料保護與遮罩治理&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/identity-access-boundary/" data-link-title="7.2 身分與授權邊界" data-link-desc="以問題驅動方式整理身分、授權、會話與供應商身分鏈">7.2 身分與授權邊界&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/detection-lifecycle-pattern/" data-link-title="Detection Lifecycle Pattern" data-link-desc="定義偵測規則如何管理來源、邏輯、測試事件、誤報與退場">Detection lifecycle pattern&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/evidence-chain-pattern/" data-link-title="Evidence Chain Pattern" data-link-desc="定義事故與演練需要保存的訊號、決策、artifact、timeline 與 retention 證據">Evidence chain pattern&lt;/a>&lt;/li>
&lt;/ul></description><content:encoded><![CDATA[<p>本案例的責任是提供 SaaS data platform credential 壓力素材。Snowflake 2024 事件顯示,當 customer instance 的 credential 透過 infostealer 外流、且 MFA 與 network allow list 未強制時,SaaS 資料平台會成為大規模資料外送入口。</p>
<h2 id="來源">來源</h2>
<table>
  <thead>
      <tr>
          <th>來源</th>
          <th>可引用範圍</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td><a href="https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion">Mandiant / Google Cloud:UNC5537 targets Snowflake</a></td>
          <td>initial access、infostealer 來源、TTP、IOC</td>
      </tr>
      <tr>
          <td><a href="https://www.cybersecuritydive.com/news/100-snowflake-customers-attacked/718454/">Snowflake security advisory(整理見 Cybersecurity Dive)</a></td>
          <td>受影響 customer instance、平台立場、recommended actions</td>
      </tr>
      <tr>
          <td><a href="https://www.techtarget.com/searchsecurity/news/366588655/Mandiant-Exposed-credentials-led-to-Snowflake-attacks">TechTarget:Mandiant root cause 摘要</a></td>
          <td>credential reuse、MFA 缺口、credential 長期有效性</td>
      </tr>
  </tbody>
</table>
<h2 id="defender-pressure">Defender Pressure</h2>
<table>
  <thead>
      <tr>
          <th>壓力</th>
          <th>服務判讀</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Credential hygiene pressure</td>
          <td>infostealer 外流的舊 credential 仍長期有效</td>
      </tr>
      <tr>
          <td>MFA enforcement pressure</td>
          <td>SaaS data platform 需要平台側可強制的 MFA</td>
      </tr>
      <tr>
          <td>Network boundary pressure</td>
          <td>資料平台需要 IP / VPC allow list 收斂存取來源</td>
      </tr>
      <tr>
          <td>Shared responsibility pressure</td>
          <td>客戶與供應商需要對齊偵測、通報與佐證義務</td>
      </tr>
  </tbody>
</table>
<h2 id="control-gap">Control Gap</h2>
<p>控制缺口的核心是 SaaS 資料平台的 credential lifecycle 與 network boundary 屬於客戶責任範圍,但平台缺少強制基線。沒有 MFA、沒有 allow list、credential 長期未輪替,是同類事件重複出現的共通結構。</p>
<h2 id="detection-route">Detection Route</h2>
<table>
  <thead>
      <tr>
          <th>訊號</th>
          <th>判讀用途</th>
          <th>下一步</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>資料平台出現非預期 IP 大量查詢</td>
          <td>判斷 credential 是否被濫用</td>
          <td>啟動 <a href="/blog/backend/knowledge-cards/token-revocation/" data-link-title="Token Revocation" data-link-desc="說明事件中如何撤銷 token，縮短可利用窗口">token revocation</a> 與 allow list</td>
      </tr>
      <tr>
          <td>同一 user account 跨多次 infostealer 命中</td>
          <td>判斷 credential 仍有效期</td>
          <td>啟動強制輪替與 MFA enforcement</td>
      </tr>
      <tr>
          <td>客戶通報資料外流早於平台告警</td>
          <td>判斷 detection coverage gap</td>
          <td>啟動 platform / customer log 對齊</td>
      </tr>
  </tbody>
</table>
<h2 id="exercise-hook">Exercise Hook</h2>
<p>本案例可支撐 <a href="/blog/backend/07-security-data-protection/blue-team/materials/scenarios/low-frequency-exfiltration-tabletop/" data-link-title="Low-frequency Exfiltration Tabletop" data-link-desc="以受管檔案傳輸系統外送風險設計資料範圍與通報 tabletop">Low-frequency exfiltration tabletop</a> 的 SaaS 資料平台變體。演練重點是確認 credential、MFA、network boundary 與通報流程是否能在共享責任邊界內快速協作。</p>
<h2 id="write-back-target">Write-back Target</h2>
<ul>
<li><a href="/blog/backend/07-security-data-protection/data-protection-and-masking-governance/" data-link-title="7.4 資料保護與遮罩治理" data-link-desc="以問題驅動方式整理資料分級、遮罩、匯出與備份治理">7.4 資料保護與遮罩治理</a></li>
<li><a href="/blog/backend/07-security-data-protection/identity-access-boundary/" data-link-title="7.2 身分與授權邊界" data-link-desc="以問題驅動方式整理身分、授權、會話與供應商身分鏈">7.2 身分與授權邊界</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/detection-lifecycle-pattern/" data-link-title="Detection Lifecycle Pattern" data-link-desc="定義偵測規則如何管理來源、邏輯、測試事件、誤報與退場">Detection lifecycle pattern</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/evidence-chain-pattern/" data-link-title="Evidence Chain Pattern" data-link-desc="定義事故與演練需要保存的訊號、決策、artifact、timeline 與 retention 證據">Evidence chain pattern</a></li>
</ul>
]]></content:encoded></item></channel></rss>