HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015
P A G E
HoneySAP Who really wants your
money?
MARTIN GALLO MARCH 2015
P A G E 2
AGENDA SAP SAP security Threat landscape Have Needs Honeypots HoneySAP Approach Goal Design Architecture Services Integration Example profiles Demo Challenges Call to contributions Conclusions
P A G E 3
WHAT IS SAP?
software company business processes
critical systems $$$
P A G E 4
SECURITY IN SAP?
specialized skills commitment risk culture
$$$
P A G E 5
SECURITY IN SAP?
focus on users,
roles, SoD
GRC platforms
manual test tools
automated test tools
P A G E 6
THREATS IN SAP?
complexity customization
lack of knowledge business dynamics
P A G E 7
THREATS IN SAP?
fraud espionage sabotage
insider & outsider
P A G E 8 P A G E
Targeted attacks
Broad attacks
known for years traditional attacks
targets not disclosing data now started appearing in media
more recent malware looking for SAP
entry point for targeted attacks
P A G E 9
Targeted attacks
Broad Attacks
THREATS
LANDSCAPE
P A G E 1 0
some knowledge distributed
weak defenses
WHAT DO WE HAVE?
P A G E 1 1
learn share
act
WHAT DO WE NEED?
P A G E 1 2
MEET
Honeypots
P A G E 1 3
HONEYPOTS
types goals
implementations
P A G E 1 4
HONEYPOTS
interaction high / medium / low
purpose research / production
P A G E 1 5
HONEYPOTS
gather information catch malware deceit/distract
…
P A G E 1 6
HONEYPOTS
P A G E 1 7
MEET
HoneySAP
P A G E 1 8
APPROACH
low-interaction research centric
open source
P A G E 1 9
GOALS
specific purpose identify behavior
flexibility agility
P A G E 2 0
DESIGN
extendible add services
add feeds
P A G E 2 1
DESIGN
modular dynamic loader
services, feeds & datastore
P A G E 2 2
DESIGN
easy to configure JSON & YAML
default profiles
P A G E 2 3
DESIGN
easy to deploy vagrant + ansible
docker?
P A G E 2 4
ARCHITECTURE
CORE
SERVICES
SERVICE MANAGER
SESSION MANAGER
FEED MANAGER
LOGGER LOADER CONFIG
FEEDS
DB HPFEEDS
FILE
LIBS
SAP ROUTER
MESSAGE SERVER
GEVENT PYSAP FLASK
CONSOLE
DATASTORE
DATASTORE MANAGER
ICM
..
P A G E 2 5
ARCHITECTURE
SERVICES
SAP ROUTER
ICM MESSAGE SERVER
GATEWAY ..
DATA STORE
P A G E 2 6
HTTP-based services
PySAP-based services
ROUTER
MESSAGE SERVER
DISPATCHER
GATEWAY
P A G E
..
ICM
MESSAGE SERVER
WEB DISPATCHER
NW GATEWAY
..
P A G E 2 7
SERVICES
virtual services don’t bind to real addresses allows routing/dispatching
P A G E 2 8
SERVICES
forwarder service forwards traffic to ext. services can be run as a virtual service
P A G E 2 9
INTEGRATION
honeypots routing/dispatching, honeynets,
deployment
actual systems routing/dispatching
P A G E 3 0
INTEGRATION
standard feeds hpfeeds, taxii, stix
..
P A G E
HoneySAP
3 1
EXAMPLE PROFILE
SAPRouter service
THE INTERNET
ADVERSARY
Kippo (SSH)
Dionaea (smb, ftp, mysql, etc.)
SAP internal virtual services (gateway, dispatcher, ms, icm, etc.)
1) identifies the service
3) requests route to internally served virtual services
4) requests route to other exposed honeypots
2) discovers open routes
P A G E 3 2
EXAMPLE PROFILE
THE INTERNET ADVERSARY
SAP ICM service
SAP internal ICF services (ping, SOAP RFC, etc.)
HoneySAP
1) identifies the service
2) scans for exposed ICF services
3) access ICF services
P A G E 3 3
EXAMPLE PROFILE
INTERNAL NETWORK
SAP ICM service
ADVERSARY
SAP internal ICF services (ping, SOAP RFC, etc.)
HoneySAP
SAP internal virtual services (gateway, dispatcher, ms, etc.)
1) identifies the services
2) access the services
P A G E 3 4
DEMO TIME
P A G E 3 5
CHALLENGES
core development modular structure
gevent + scapy/flask
P A G E 3 6
CHALLENGES
+ knowledge on each service
packets not enough behavior
P A G E 3 7
CHALLENGES
detection non-standard behavior
error messages http services
P A G E 3 8
CHALLENGES
performance? not sure yet
P A G E 3 9
CHALLENGES
what to log? determine IoA/IoC
P A G E 4 0
CHALLENGES
deployments make it easier to deploy
integration
P A G E 4 1
CALL FOR CONTRIBUTIONS
run, test, patch, submit collect & analyze
extend
P A G E 4 2
CALL FOR CONTRIBUTIONS
grab it soon from https://github.com/CoreSecurity/ http://corelabs.coresecurity.com/
GPLv2 license working on data feed
P A G E 4 3
CONCLUSIONS
more knowledge about services new source of attacks info diff. approach for defense
P A G E 4 4
Q&A
???
P A G E 4 5
THANK YOU ! [email protected] @martingalloar