HoneySAP Who really wants your money? M ARTIN G ALLO M ARCH 2015 P - - PowerPoint PPT Presentation
HoneySAP Who really wants your money? M ARTIN G ALLO M ARCH 2015 P A G E AGENDA SAP SAP security Threat landscape Have Needs Honeypots HoneySAP Approach Goal Design Architecture Services Integration Example profiles Demo
P A G E
money?
MARTIN GALLO
MARCH 2015
P A G E 2
SAP SAP security Threat landscape Have Needs Honeypots HoneySAP Approach Goal Design Architecture Services Integration Example profiles Demo Challenges Call to contributions Conclusions
P A G E 3
software company business processes critical systems $$$
P A G E 4
specialized skills commitment risk culture $$$
P A G E 5
focus on users, roles, SoD GRC platforms manual test tools automated test tools
P A G E 6
complexity customization lack of knowledge business dynamics
P A G E 7
fraud espionage sabotage insider & outsider
P A G E 8 P A G E
known for years traditional attacks targets not disclosing data now started appearing in media more recent malware looking for SAP entry point for targeted attacks
P A G E 9
Targeted
attacks
Broad
Attacks
P A G E 1 0
some knowledge distributed weak defenses
P A G E 1 1
learn share act
P A G E 1 2
P A G E 1 3
P A G E 1 4
high / medium / low
research / production
P A G E 1 5
P A G E 1 6
P A G E 1 7
P A G E 1 8
P A G E 1 9
P A G E 2 0
add services add feeds
P A G E 2 1
dynamic loader services, feeds & datastore
P A G E 2 2
JSON & YAML default profiles
P A G E 2 3
vagrant + ansible docker?
P A G E 2 4
CORE SERVICES
SERVICE MANAGER SESSION MANAGER FEED MANAGER LOGGER LOADER CONFIG
FEEDS
DB HPFEEDS FILE
LIBS
SAP ROUTER MESSAGE SERVER GEVENT PYSAP FLASK
CONSOLE
DATASTORE DATASTORE MANAGER ICM ..
P A G E 2 5
SERVICES
SAP ROUTER ICM MESSAGE SERVER GATEWAY .. DATA STORE
P A G E 2 6
HTTP-based services PySAP-based services
ROUTER MESSAGE SERVER DISPATCHER GATEWAY
P A G E
.. ICM MESSAGE SERVER WEB DISPATCHER NW GATEWAY ..
P A G E 2 7
don’t bind to real addresses allows routing/dispatching
P A G E 2 8
forwards traffic to ext. services can be run as a virtual service
P A G E 2 9
routing/dispatching, honeynets, deployment
routing/dispatching
P A G E 3 0
hpfeeds, taxii, stix
P A G E
HoneySAP
3 1
SAPRouter service THE INTERNET ADVERSARY
Kippo (SSH) Dionaea (smb, ftp, mysql, etc.) SAP internal virtual services (gateway, dispatcher, ms, icm, etc.)
1) identifies the service 3) requests route to internally served virtual services 4) requests route to other exposed honeypots 2) discovers
P A G E 3 2
THE INTERNET ADVERSARY SAP ICM service
SAP internal ICF services (ping, SOAP RFC, etc.)
HoneySAP 1) identifies the service 2) scans for exposed ICF services 3) access ICF services
P A G E 3 3
INTERNAL NETWORK SAP ICM service ADVERSARY
SAP internal ICF services (ping, SOAP RFC, etc.)
HoneySAP
SAP internal virtual services (gateway, dispatcher, ms, etc.)
1) identifies the services 2) access the services
P A G E 3 4
P A G E 3 5
modular structure gevent + scapy/flask
P A G E 3 6
packets not enough behavior
P A G E 3 7
detection non-standard behavior
error messages http services
P A G E 3 8
not sure yet
P A G E 3 9
what to log? determine IoA/IoC
P A G E 4 0
deployments
make it easier to deploy integration
P A G E 4 1
run, test, patch, submit collect & analyze extend
P A G E 4 2
grab it soon from
https://github.com/CoreSecurity/ http://corelabs.coresecurity.com/
GPLv2 license working on data feed
P A G E 4 3
more knowledge about services new source of attacks info
P A G E 4 4
P A G E 4 5
mgallo@coresecurity.com @martingalloar