HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH...
Transcript of HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH...
![Page 1: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/1.jpg)
P A G E
HoneySAP Who really wants your
money?
MARTIN GALLO MARCH 2015
![Page 2: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/2.jpg)
P A G E 2
AGENDA SAP SAP security Threat landscape Have Needs Honeypots HoneySAP Approach Goal Design Architecture Services Integration Example profiles Demo Challenges Call to contributions Conclusions
![Page 3: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/3.jpg)
P A G E 3
WHAT IS SAP?
software company business processes
critical systems $$$
![Page 4: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/4.jpg)
P A G E 4
SECURITY IN SAP?
specialized skills commitment risk culture
$$$
![Page 5: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/5.jpg)
P A G E 5
SECURITY IN SAP?
focus on users,
roles, SoD
GRC platforms
manual test tools
automated test tools
![Page 6: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/6.jpg)
P A G E 6
THREATS IN SAP?
complexity customization
lack of knowledge business dynamics
![Page 7: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/7.jpg)
P A G E 7
THREATS IN SAP?
fraud espionage sabotage
insider & outsider
![Page 8: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/8.jpg)
P A G E 8 P A G E
Targeted attacks
Broad attacks
known for years traditional attacks
targets not disclosing data now started appearing in media
more recent malware looking for SAP
entry point for targeted attacks
![Page 9: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/9.jpg)
P A G E 9
Targeted attacks
Broad Attacks
THREATS
LANDSCAPE
![Page 10: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/10.jpg)
P A G E 1 0
some knowledge distributed
weak defenses
WHAT DO WE HAVE?
![Page 11: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/11.jpg)
P A G E 1 1
learn share
act
WHAT DO WE NEED?
![Page 12: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/12.jpg)
P A G E 1 2
MEET
Honeypots
![Page 13: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/13.jpg)
P A G E 1 3
HONEYPOTS
types goals
implementations
![Page 14: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/14.jpg)
P A G E 1 4
HONEYPOTS
interaction high / medium / low
purpose research / production
![Page 15: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/15.jpg)
P A G E 1 5
HONEYPOTS
gather information catch malware deceit/distract
…
![Page 16: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/16.jpg)
P A G E 1 6
HONEYPOTS
![Page 17: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/17.jpg)
P A G E 1 7
MEET
HoneySAP
![Page 18: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/18.jpg)
P A G E 1 8
APPROACH
low-interaction research centric
open source
![Page 19: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/19.jpg)
P A G E 1 9
GOALS
specific purpose identify behavior
flexibility agility
![Page 20: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/20.jpg)
P A G E 2 0
DESIGN
extendible add services
add feeds
![Page 21: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/21.jpg)
P A G E 2 1
DESIGN
modular dynamic loader
services, feeds & datastore
![Page 22: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/22.jpg)
P A G E 2 2
DESIGN
easy to configure JSON & YAML
default profiles
![Page 23: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/23.jpg)
P A G E 2 3
DESIGN
easy to deploy vagrant + ansible
docker?
![Page 24: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/24.jpg)
P A G E 2 4
ARCHITECTURE
CORE
SERVICES
SERVICE MANAGER
SESSION MANAGER
FEED MANAGER
LOGGER LOADER CONFIG
FEEDS
DB HPFEEDS
FILE
LIBS
SAP ROUTER
MESSAGE SERVER
GEVENT PYSAP FLASK
CONSOLE
DATASTORE
DATASTORE MANAGER
ICM
..
![Page 25: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/25.jpg)
P A G E 2 5
ARCHITECTURE
SERVICES
SAP ROUTER
ICM MESSAGE SERVER
GATEWAY ..
DATA STORE
![Page 26: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/26.jpg)
P A G E 2 6
HTTP-based services
PySAP-based services
ROUTER
MESSAGE SERVER
DISPATCHER
GATEWAY
P A G E
..
ICM
MESSAGE SERVER
WEB DISPATCHER
NW GATEWAY
..
![Page 27: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/27.jpg)
P A G E 2 7
SERVICES
virtual services don’t bind to real addresses allows routing/dispatching
![Page 28: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/28.jpg)
P A G E 2 8
SERVICES
forwarder service forwards traffic to ext. services can be run as a virtual service
![Page 29: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/29.jpg)
P A G E 2 9
INTEGRATION
honeypots routing/dispatching, honeynets,
deployment
actual systems routing/dispatching
![Page 30: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/30.jpg)
P A G E 3 0
INTEGRATION
standard feeds hpfeeds, taxii, stix
..
![Page 31: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/31.jpg)
P A G E
HoneySAP
3 1
EXAMPLE PROFILE
SAPRouter service
THE INTERNET
ADVERSARY
Kippo (SSH)
Dionaea (smb, ftp, mysql, etc.)
SAP internal virtual services (gateway, dispatcher, ms, icm, etc.)
1) identifies the service
3) requests route to internally served virtual services
4) requests route to other exposed honeypots
2) discovers open routes
![Page 32: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/32.jpg)
P A G E 3 2
EXAMPLE PROFILE
THE INTERNET ADVERSARY
SAP ICM service
SAP internal ICF services (ping, SOAP RFC, etc.)
HoneySAP
1) identifies the service
2) scans for exposed ICF services
3) access ICF services
![Page 33: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/33.jpg)
P A G E 3 3
EXAMPLE PROFILE
INTERNAL NETWORK
SAP ICM service
ADVERSARY
SAP internal ICF services (ping, SOAP RFC, etc.)
HoneySAP
SAP internal virtual services (gateway, dispatcher, ms, etc.)
1) identifies the services
2) access the services
![Page 34: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/34.jpg)
P A G E 3 4
DEMO TIME
![Page 35: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/35.jpg)
P A G E 3 5
CHALLENGES
core development modular structure
gevent + scapy/flask
![Page 36: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/36.jpg)
P A G E 3 6
CHALLENGES
+ knowledge on each service
packets not enough behavior
![Page 37: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/37.jpg)
P A G E 3 7
CHALLENGES
detection non-standard behavior
error messages http services
![Page 38: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/38.jpg)
P A G E 3 8
CHALLENGES
performance? not sure yet
![Page 39: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/39.jpg)
P A G E 3 9
CHALLENGES
what to log? determine IoA/IoC
![Page 40: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/40.jpg)
P A G E 4 0
CHALLENGES
deployments make it easier to deploy
integration
![Page 41: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/41.jpg)
P A G E 4 1
CALL FOR CONTRIBUTIONS
run, test, patch, submit collect & analyze
extend
![Page 42: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/42.jpg)
P A G E 4 2
CALL FOR CONTRIBUTIONS
grab it soon from https://github.com/CoreSecurity/ http://corelabs.coresecurity.com/
GPLv2 license working on data feed
![Page 43: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/43.jpg)
P A G E 4 3
CONCLUSIONS
more knowledge about services new source of attacks info diff. approach for defense
![Page 44: HoneySAP: Who really wants your money?...HoneySAP Who really wants your money? MARTIN GALLO MARCH 2015 . P A G E 2 AGENDA SAP SAP security ... LOGGER LOADER CONFIG FEEDS HPFEEDS DB](https://reader034.fdocuments.in/reader034/viewer/2022042200/5ea05eb0f1ab9a228526bf7b/html5/thumbnails/44.jpg)
P A G E 4 4
Q&A
???