HoneySAP Who really wants your money? M ARTIN G ALLO M ARCH 2015 P A G E
AGENDA SAP SAP security Threat landscape Have Needs Honeypots HoneySAP Approach Goal Design Architecture Services Integration Example profiles Demo Challenges Call to contributions Conclusions P A G E 2
WHAT IS SAP? software company business processes critical systems $$$ P A G E 3
SECURITY IN SAP? specialized skills commitment risk culture $$$ P A G E 4
SECURITY IN SAP? manual test tools focus on users, roles, SoD automated test tools GRC platforms P A G E 5
THREATS IN SAP? complexity customization lack of knowledge business dynamics P A G E 6
THREATS IN SAP? fraud espionage sabotage insider & outsider P A G E 7
Targeted known for years traditional attacks targets not disclosing data attacks now started appearing in media Broad more recent malware looking for SAP attacks entry point for targeted attacks P A G E 8 P A G E
THREATS Targeted attacks Broad Attacks LANDSCAPE P A G E 9
WHAT DO WE HAVE? some knowledge distributed weak defenses P A G E 1 0
WHAT DO WE NEED? learn share act P A G E 1 1
MEET Honeypots P A G E 1 2
HONEYPOTS types goals implementations P A G E 1 3
HONEYPOTS interaction high / medium / low purpose research / production P A G E 1 4
HONEYPOTS gather information catch malware deceit/distract … P A G E 1 5
HONEYPOTS P A G E 1 6
MEET HoneySAP P A G E 1 7
APPROACH low-interaction research centric open source P A G E 1 8
GOALS specific purpose identify behavior flexibility agility P A G E 1 9
DESIGN extendible add services add feeds P A G E 2 0
DESIGN modular dynamic loader services, feeds & datastore P A G E 2 1
DESIGN easy to configure JSON & YAML default profiles P A G E 2 2
DESIGN easy to deploy vagrant + ansible docker? P A G E 2 3
ARCHITECTURE SERVICES FEEDS SAP ROUTER ICM HPFEEDS DB MESSAGE .. SERVER FILE CONSOLE DATASTORE CORE DATASTORE SERVICE SESSION FEED MANAGER MANAGER MANAGER MANAGER LOGGER LOADER CONFIG LIBS GEVENT PYSAP FLASK P A G E 2 4
ARCHITECTURE SERVICES SAP MESSAGE ICM GATEWAY .. ROUTER SERVER DATA STORE P A G E 2 5
HTTP-based ROUTER services MESSAGE SERVER ICM DISPATCHER MESSAGE SERVER GATEWAY WEB DISPATCHER .. NW GATEWAY PySAP-based .. services P A G E 2 6 P A G E
SERVICES virtual services don’t bind to real addresses allows routing/dispatching P A G E 2 7
SERVICES forwarder service forwards traffic to ext. services can be run as a virtual service P A G E 2 8
INTEGRATION honeypots routing/dispatching, honeynets, deployment actual systems routing/dispatching P A G E 2 9
INTEGRATION standard feeds hpfeeds, taxii, stix .. P A G E 3 0
EXAMPLE PROFILE 3) requests route to HoneySAP internally served virtual services SAP internal virtual services 2) discovers (gateway, dispatcher, open routes ms, icm, etc.) SAPRouter ADVERSARY service 1) identifies Dionaea (smb, ftp, the service mysql, etc.) THE INTERNET Kippo (SSH) 4) requests route to other exposed honeypots P A G E 3 1
EXAMPLE PROFILE 3) access ICF services 2) scans for exposed ICF services HoneySAP SAP internal ICF services (ping, SOAP RFC, etc.) ADVERSARY SAP ICM THE INTERNET service 1) identifies the service P A G E 3 2
EXAMPLE PROFILE 2) access HoneySAP the services SAP internal virtual services (gateway, dispatcher, ms, etc.) INTERNAL NETWORK ADVERSARY SAP internal ICF services (ping, SOAP RFC, etc.) 1) identifies SAP ICM the services service P A G E 3 3
DEMO TIME P A G E 3 4
CHALLENGES core development modular structure gevent + scapy/flask P A G E 3 5
CHALLENGES + knowledge on each service packets not enough behavior P A G E 3 6
CHALLENGES detection non-standard behavior error messages http services P A G E 3 7
CHALLENGES performance ? not sure yet P A G E 3 8
CHALLENGES what to log? determine IoA/IoC P A G E 3 9
CHALLENGES deployments make it easier to deploy integration P A G E 4 0
CALL FOR CONTRIBUTIONS run, test, patch, submit collect & analyze extend P A G E 4 1
CALL FOR CONTRIBUTIONS grab it soon from https://github.com/CoreSecurity/ http://corelabs.coresecurity.com/ GPLv2 license working on data feed P A G E 4 2
CONCLUSIONS more knowledge about services new source of attacks info diff. approach for defense P A G E 4 3
Q&A ??? P A G E 4 4
THANK YOU ! mgallo@coresecurity.com @martingalloar P A G E 4 5
Recommend
More recommend