Skip to content

Snowflake red-team iter-6 — credibility hardening, deployment-honest detection, planner-steering depth#49

Merged
AndrewAltimit merged 1 commit into
mainfrom
snowflake-redteam-iter6-action-items
May 15, 2026
Merged

Snowflake red-team iter-6 — credibility hardening, deployment-honest detection, planner-steering depth#49
AndrewAltimit merged 1 commit into
mainfrom
snowflake-redteam-iter6-action-items

Conversation

@AndrewAltimit
Copy link
Copy Markdown
Owner

@AndrewAltimit AndrewAltimit commented May 15, 2026

Summary

Resolves the 14 action items surfaced by an iter-5 deep-review pass. The work moves the Snowflake red-team body from "strong framework, uneven substance" to a deliverable with defensible claims, honest deployment guidance, and end-to-end test coverage.

  • Tier 1 — credibility: [EMPIRICAL] / [MODELED] / [HYPOTHESIS] badges on every chain; canonical chain-reference table; lab baseline-capture harness (14/14 tools exit 0 against the mock); per-CVE applicability matrix with [REQUIRES_TENANT] hedges instead of fabricated detail.
  • Tier 2 — detection honesty: maturity: field on all 33 Sigma rules with aggregate counts (4 production-ready, 29 deployment-blocked); ship-ready enrichment templates (Snowflake SQL + Sentinel KQL + Splunk conf) for the three highest-value rules; FP/FN harness surfaced two real rule-logic gaps (sensitivity 0.60, precision 0.43) and flagged them in the YAML.
  • Tier 3 — depth: owner/non-owner asymmetry now exercised in Chain M (new mock endpoints + tool path); planner-steering bench shows keyword rule catches 1/5 injection families, behavioral rule 5/5; Chain A end-to-end integration test imports the rule logic from the FP/FN harness so YAML/code drift fails loudly; Guardrails evaluation summary with bypass rates per tier.
  • Tier 4 — polish: HIPAA control text grounded for every cited §164 subsection; MFA-enforcement-boundary section disambiguates human vs service-user scope; scope/assumptions sections on both the analytical doc and the static HTML report; deployment-readiness callout on the detection page.

Files

  • 41 modified files; 13 new files / directories.
  • New analytical docs: docs/analysis/chain-reference-table.md, docs/analysis/snowflake-cve-applicability-matrix-2026.md.
  • New mock endpoints: /api/v2/spcs/eai-udf-{setup,invoke,egress-log} for Chain M.
  • New tools: tools/llm-attacks/cortex/cortex_agent_planner_steer.py.
  • New harnesses: infra/lab/mock-snowflake/capture_baselines.py, detection/snowflake/fp_fn_harness/bulk_exfil_baseline.py.
  • New enrichment templates: detection/snowflake/enrichment-templates/{bulk-exfil-baseline,federated-login-anomaly,connector-secret-leak}/.
  • New test: tests/integration/test_chain_a_end_to_end.py.

Test plan

  • [DONE] All eight CI hard-rule guards pass on branch HEAD (detection pairing, no committed drivers, no real tenants, AiTM loopback, kernel-LPE harness, LoLDrivers hash-only, mock-services loopback, no real RMM license, no suspicious .pth, Snowflake report integrity, Snowflake tools syntax).
  • [DONE] python -m unittest tests.integration.test_chain_a_end_to_end — 3/3 pass.
  • [DONE] python infra/lab/mock-snowflake/capture_baselines.py — 14/14 tools exit 0; MOCK_BASELINE.md and per-tool slices regenerate cleanly.
  • [DONE] python detection/snowflake/fp_fn_harness/bulk_exfil_baseline.py — produces BULK_EXFIL_FP_FN_REPORT.md with the documented sensitivity/specificity/precision.
  • [DONE] python tools/llm-attacks/cortex/cortex_agent_planner_steer.py against the lab mocks — 5/5 injection families steer the planner; benign baseline correctly ignored.
  • [TODO] Static report local serve (python -m http.server from reports/snowflake-platform-assessment/) — visual review of the new scope/assumptions and deployment-readiness callouts.
  • [TODO] Tenant validation of [REQUIRES_TENANT] items in the CVE applicability matrix and chain reference table (out of scope for this PR; staged in per-tool lab-validation/ directories).

Generated with Claude Code

@claude
Snowflake red-team iter-6 — credibility hardening, deployment-honest …
258235e 
…detection, planner-steering depth

Resolves 14 critique items surfaced by the iter-5 deep-review pass. The work
turns the body of Snowflake red-team content from a strong framework with
uneven substance into a deliverable with defensible claims, honest
detection deployment guidance, and end-to-end test coverage.

Tier 1 — credibility:

* `[EMPIRICAL]` / `[MODELED]` / `[HYPOTHESIS]` maturity badges on every
  chain heading (A–M plus SPCS Base-Image) in the attack-surface analysis.
  Maturity legend added near the top; Chain I's overstated "Empirical
  confirmation" claim softened to "Mock-side observation" with the
  tenant-replay step marked `[REQUIRES_TENANT]`.
* `docs/analysis/chain-reference-table.md` — canonical cross-reference
  mapping chain → tools → Sigma rule IDs → CVE refs → PHI impact →
  maturity. Updated `CLAUDE.md` index.
* `infra/lab/mock-snowflake/capture_baselines.py` — orchestration harness
  that runs all 14 Snowflake tools against the lab mock, captures stdout
  + audit projections, writes `MOCK_BASELINE.md` (consolidated) and
  per-tool slices under each `lab-validation/` directory. 14/14 tools
  exit 0 against the mock at HEAD.
* `docs/analysis/snowflake-cve-applicability-matrix-2026.md` — per-CVE
  matrix of affected versions, trigger conditions, artifact surface,
  dependent detection rules, and status. Unknowns marked
  `[REQUIRES_TENANT]` rather than fabricated.

Tier 2 — detection honesty:

* `maturity:` field added to all 33 Sigma rules (production_ready /
  requires_enrichment / requires_correlation / requires_cortex_sidecar
  / requires_endpoint_telemetry). Aggregate counts surfaced in
  `detection/snowflake/README.md` deployment-readiness section: 4 of
  33 rules fire out of the box; the remaining 29 land an alert only
  after the relevant enrichment, correlation, or sidecar is operational.
* `detection/snowflake/enrichment-templates/` — copy-pasteable
  Snowflake SQL + Sentinel KQL + Splunk conf for the three highest-
  value rules (bulk_exfil_baseline, federated_login_anomaly,
  connector_secret_leak). The connector-secret-leak template is an
  ingest-time redaction pipeline so the SIEM does not become the new
  long-retention repository for leaked master keys.
* `detection/snowflake/fp_fn_harness/bulk_exfil_baseline.py` — FP/FN
  harness that runs the rule logic over a synthetic mix of UNC5537-
  shaped attackers + healthcare-overlay business patterns. Surfaces
  two real rule-logic gaps: approved-role-misuse attackers escape the
  outer OR-gate (sensitivity 0.60) and analyst-ad-hoc small exports
  trip the rule (precision 0.43). Findings flagged in the rule YAML
  with a remediation hint.

Tier 3 — depth:

* `udf_eai_egress.py` — extended to exercise the owner/non-owner role
  asymmetry that is Chain M's central claim. The mock gains
  `/api/v2/spcs/eai-udf-{setup,invoke,egress-log}` endpoints with
  PUBLIC-callable UDFs owned by DATA_ENG_OWNER; the tool now invokes
  as both owner and non-owner and prints the asymmetry summary.
* `cortex_agent_planner_steer.py` + mock planner enhancement — drives
  five injection-payload families through the lab Cortex Agents
  runtime (keyword, paraphrase, authority_spoof, markdown_block,
  memory_injection) plus a benign baseline. Output report shows the
  keyword rule catches 1/5 successful steers; the behavioral rule
  catches 5/5 subject to the sidecar enrichment.
* `tests/integration/test_chain_a_end_to_end.py` — end-to-end pytest
  driving PAT issuance → login → bulk COPY → audit projection →
  rule-logic evaluation. Imports the rule_fires() implementation from
  the FP/FN harness so YAML/code drift fails the test loudly.
* `tools/llm-attacks/cortex/guardrails-evaluation-summary.md` —
  aggregate effectiveness summary from the existing Guardrails
  harness. Headline numbers: tier 1 blocks 27% of corpus injections;
  tier 2 blocks 16%; the two are partly complementary. Vendor-side
  measurement marked `[REQUIRES_TENANT]`.

Tier 4 — polish:

* Healthcare overlay HIPAA mapping grounded in control text: a new
  section traces each cited §164 subsection to its paraphrased text
  and names what the platform-side gap means for the control's design
  intent. Separate MFA-enforcement-boundary section disambiguates
  human vs. service-user scope (humans are MFA-enforced as of April
  2025; service users on key-pair are out of scope by design).
* "Scope, Assumptions, and Out-of-Scope" section added to the
  analytical companion (cloud providers covered, editions, what's not
  tested). Static report's index.html gets a matching scope &
  assumptions callout citing the maturity badges and
  `[REQUIRES_TENANT]` convention.
* Detection HTML page gets a deployment-readiness callout mirroring
  the maturity-tag counts so a CISO reader sees coverage realism
  before assuming production readiness.

All eight CI hard-rule guards pass on the branch (detection pairing,
no committed drivers, no real tenants, AiTM loopback, kernel-LPE
harness, LoLDrivers hash-only, mock-services loopback, no real RMM
license, no suspicious .pth, Snowflake report integrity, Snowflake
tools syntax).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@AndrewAltimit AndrewAltimit merged commit 214d2f0 into main May 15, 2026
2 checks passed
@AndrewAltimit AndrewAltimit deleted the snowflake-redteam-iter6-action-items branch May 15, 2026 18:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AndrewAltimit