HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB

P A G E

HoneySAP Who really wants your

money?

MARTIN GALLO MARCH 2015

P A G E 2

AGENDA SAP SAP security Threat landscape Have Needs Honeypots HoneySAP Approach Goal Design Architecture Services Integration Example profiles Demo Challenges Call to contributions Conclusions

P A G E 3

WHAT IS SAP?

software company business processes

critical systems $$$

P A G E 4

SECURITY IN SAP?

specialized skills commitment risk culture

$$$

P A G E 5

SECURITY IN SAP?

focus on users,

roles, SoD

GRC platforms

manual test tools

automated test tools

P A G E 6

THREATS IN SAP?

complexity customization

lack of knowledge business dynamics

P A G E 7

THREATS IN SAP?

fraud espionage sabotage

insider & outsider

P A G E 8 P A G E

Targeted attacks

Broad attacks

known for years traditional attacks

targets not disclosing data now started appearing in media

more recent malware looking for SAP

entry point for targeted attacks

P A G E 9

Targeted attacks

Broad Attacks

THREATS

LANDSCAPE

P A G E 1 0

some knowledge distributed

weak defenses

WHAT DO WE HAVE?

P A G E 1 1

learn share

act

WHAT DO WE NEED?

P A G E 1 2

MEET

Honeypots

P A G E 1 3

HONEYPOTS

types goals

implementations

P A G E 1 4

HONEYPOTS

interaction high / medium / low

purpose research / production

P A G E 1 5

HONEYPOTS

gather information catch malware deceit/distract

…

P A G E 1 6

HONEYPOTS

P A G E 1 7

MEET

HoneySAP

P A G E 1 8

APPROACH

low-interaction research centric

open source

P A G E 1 9

GOALS

specific purpose identify behavior

flexibility agility

P A G E 2 0

DESIGN

extendible add services

add feeds

P A G E 2 1

DESIGN

modular dynamic loader

services, feeds & datastore

P A G E 2 2

DESIGN

easy to configure JSON & YAML

default profiles

P A G E 2 3

DESIGN

easy to deploy vagrant + ansible

docker?

P A G E 2 4

ARCHITECTURE

CORE

SERVICES

SERVICE MANAGER

SESSION MANAGER

FEED MANAGER

LOGGER LOADER CONFIG

FEEDS

DB HPFEEDS

FILE

LIBS

SAP ROUTER

MESSAGE SERVER

GEVENT PYSAP FLASK

CONSOLE

DATASTORE

DATASTORE MANAGER

ICM

..

P A G E 2 5

ARCHITECTURE

SERVICES

SAP ROUTER

ICM MESSAGE SERVER

GATEWAY ..

DATA STORE

P A G E 2 6

HTTP-based services

PySAP-based services

ROUTER

MESSAGE SERVER

DISPATCHER

GATEWAY

P A G E

..

ICM

MESSAGE SERVER

WEB DISPATCHER

NW GATEWAY

..

P A G E 2 7

SERVICES

virtual services don’t bind to real addresses allows routing/dispatching

P A G E 2 8

SERVICES

forwarder service forwards traffic to ext. services can be run as a virtual service

P A G E 2 9

INTEGRATION

honeypots routing/dispatching, honeynets,

deployment

actual systems routing/dispatching

P A G E 3 0

INTEGRATION

standard feeds hpfeeds, taxii, stix

..

P A G E

HoneySAP

3 1

EXAMPLE PROFILE

SAPRouter service

THE INTERNET

ADVERSARY

Kippo (SSH)

Dionaea (smb, ftp, mysql, etc.)

SAP internal virtual services (gateway, dispatcher, ms, icm, etc.)

1) identifies the service

3) requests route to internally served virtual services

4) requests route to other exposed honeypots

2) discovers open routes

P A G E 3 2

EXAMPLE PROFILE

THE INTERNET ADVERSARY

SAP ICM service

SAP internal ICF services (ping, SOAP RFC, etc.)

HoneySAP

1) identifies the service

2) scans for exposed ICF services

3) access ICF services

P A G E 3 3

EXAMPLE PROFILE

INTERNAL NETWORK

SAP ICM service

ADVERSARY

SAP internal ICF services (ping, SOAP RFC, etc.)

HoneySAP

SAP internal virtual services (gateway, dispatcher, ms, etc.)

1) identifies the services

2) access the services

P A G E 3 4

DEMO TIME

P A G E 3 5

CHALLENGES

core development modular structure

gevent + scapy/flask

P A G E 3 6

CHALLENGES

+ knowledge on each service

packets not enough behavior

P A G E 3 7

CHALLENGES

detection non-standard behavior

error messages http services

P A G E 3 8

CHALLENGES

performance? not sure yet

P A G E 3 9

CHALLENGES

what to log? determine IoA/IoC

P A G E 4 0

CHALLENGES

deployments make it easier to deploy

integration

P A G E 4 1

CALL FOR CONTRIBUTIONS

run, test, patch, submit collect & analyze

extend

P A G E 4 2

CALL FOR CONTRIBUTIONS

grab it soon from https://github.com/CoreSecurity/ http://corelabs.coresecurity.com/

GPLv2 license working on data feed

P A G E 4 3

CONCLUSIONS

more knowledge about services new source of attacks info diff. approach for defense

P A G E 4 4

Q&A

???

P A G E 4 5

THANK YOU ! [email protected] @martingalloar