SAP Cyber Security Deception

Posted by Klea Duro on Apr 26, 2024 8:15:00 AM

But what does it mean? Why might this be something to consider in the future?

 

Deception

 

But what is SAP doing about Deceptive Application and RASP? What do these acronyms mean?

 

Security Deception

An approach to security from a different point of view. Today, more than ever, systems are complex and it is difficult to secure them, for example, for stolen credentials or zero days.

 

This is why using "non-real" systems to study malicious behavior can be important. Also to understand how to move in conditions where we often do not know how to anticipate possible issues (e.g., zero day attack). Or otherwise identify possible attacks and divert them to non-critical clone machines.

 

To create systems that are real throughout but not real. Just to see if these are vulnerable and assess the effects of a possible attack.

 

What does RASP mean?

This is an acronym that stands for Runtime Application Self-Protection, the idea is to have applications that can notice when "something is wrong" and then act accordingly.

 

Parts of code or libraries that are able to trigger when certain events occur to protect the application itself from ongoing attacks.

 

What are the main characteristics of these applications:

 

  • The detection of potential critical behavior patterns
  • The detection of attacks in real time
  • The ability to divert any attacks to dummy or honeypot machines
  • The wasting of time. That is, once the attacker has arrived at a honeypot, making it work without getting to a target
  • Using knowledge gained in honeypot machines during attacks to protect real machines

 

What is SAP doing about this?

The idea under investigation by SAP is to create honeytokens i.e., specific patterns of attack recognition so as to use machines/application honeypots on which to direct attacks and gain knowledge about them.

 

Honeytokens could be applied to different levels of technology in use today, applications, databases, platforms, and so on. Read more here.

 

But besides honeytokens, what are the other tools that could potentially be considered?

 

  • Suspicious sessions (Session tainting)
    • Identify a session considered critical based on the actions taken by a certain attacker
  • Hijacking (Session switching)
    • The hijacking of suspicious sessions to dummy systems
  • Generation of the bogus data, but potentially real data (Honeypot data generation)
    • Fictitious data but so fake that it looks real. This is to induce an attacker to believe in the goodness of the data. Despite being in a purpose-built machine
  • Behavioral control (Honeypot monitoring)
    • Controlling the behavior of attackers within the machines created for this purpose
  • Log generation
    • Analysis and log generation for correlation purposes
  • Behavior pattern generation
    • From the detected analysis/data obtain recurring patterns

 

Only application-specific design of this kind could support this kind of technology. We will see!

 

Iscriviti al blog se ancora non lo hai fatto!

 

Topics: sap cyber securitycyber security deception

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all

SAP Security Blog AGLEA RSS Feed

Aglea s.r.l. - Subject to the management and coordination of Horsa S.p.A. - P. IVA: IT 03868780960 - 2024 | Privacy Policy - Cookie Policy