STRIFEBOT: Attacking and Defending Snowflake Data-lakes
James Henderson
fwd:cloudsec Europe 2025 · Day 2 · Main Room
James Henderson from Reverse Sec delivered a comprehensive purple teaming framework for **Snowflake** data lake environments, covering the full attack lifecycle from initial access through persistence to data exfiltration. Motivated by the high-profile 2024 Snowflake breaches—where attackers used info-stealer-compromised credentials to exfiltrate data from multiple customer tenants—Henderson systematically mapped offensive techniques against Snowflake's platform, paired them with detection strategies and preventive controls, and open-sourced the resulting playbooks. The talk addresses a critical gap in security operations: as organizations migrate their crown jewel data into SaaS data platforms, traditional security testing methodologies built for Active Directory and cloud infrastructure often fail to cover these new attack surfaces.
AI review
A well-structured purple teaming framework for Snowflake environments that maps the complete attack lifecycle and pairs it with detection strategies. Solid practical value for organizations that need to test their Snowflake security posture, though the offensive techniques themselves are relatively straightforward rather than novel.