New ways needed to fight against targeted attacks and advanced malware – SAP Enterprise Threat Detection integrated with Trend Micro.
UPDATE 30/05/2016: New integration based on SAP ETD SP03
Standard protection products’ signature-based, one-size-fits-all approach cannot deal with the custom nature of targeted attacks and their dedicated perpetrators. Advanced attack groups utilize malware, social engineering, and hacker techniques specially customized to the task of evading your defenses and successfully attaining their goals against your company.
By design, they will defeat standard security products utilizing generic signatures. Combating these custom attacks requires a custom defense — a new strategy that recognizes the need for a specific approach and relevant intelligence that is uniquely adapted to each organization and its attackers. A custom defense solution augments an organization’s standard security by detecting and analyzing advanced threats targeting the organization, immediately adapting protection against the attack, and enabling a rapid remediation response.
SAP systems are “high value targets” for an attacker and the data of SAP ERP system can be described as mission critical for every company. Therefore, attacks on such systems should be prevented or at least recognized in an early stage of an attack.
SAP introduced a new solution SAP Enterprise Threat Detection to detect internal or external threats against the business system landscape. The solution detect attacks based on pre-delivered patterns, which monitors the system landscape based suspicious user or system behavior. There are various ways how to attack a SAP system. This could be standard attack techniques like a brute force attack, internal misuse of permission or development rights, exploit unsecure system configuration and identity theft.
Identity theft itself is a very widespread attack and is starting on the employee’s device of a company and not directly against the business system. If an attacker was able to infect a device (personal computer, mobile device …) of an employee with access to the SAP systems, it is possible to steal the SAP credentials and download or manipulate sensitive business information with the permissions of the stolen credentials.
To prevent these kind of threats, it makes sense to integrate modern security solutions like SAP Enterprise Threat Detection and the Trend Micro solutions to combine each of their strengths. SAP Enterprise Threat Detection is specialized to detect threats against business system landscapes and Trend Micro is very strong on the network, infrastructure and endpoint level.
So let us start with an example of an identity theft attack. Modern attacks have often the following structure (simplified for our discussion):
The picture above describes an attack against a device of a business user with high SAP access rights. The first step is to place malware on the device. There are various ways to do it like drive-by-exploits, phishing, mails, USB sticks. After the malware is on the device, it starts to get further instructions from the control server. The malware can monitor the user input and wait until the business user logon to a SAP system with its user and password. If the malware was able to steal the SAP credentials, it can try to emulate a user session against the SAP system.
To counter such attacks, modern security solutions like SAP Enterprise Threat Detection and Trend Micro Deep Discovery Inspector can be combined. Both solutions cover important tasks during an incident. Integration between security solutions is an important factor to fight modern attacks on IT infrastructure.
The big picture of the integrated approach
The picture below shows a target attack against a company. Target is a PC of an employee in a company with a host of permissions in the business systems landscape. Trend Micro is able to collect information on the network level, email communication (in case the malware was send my mail) and endpoint information. Furthermore, Trend Micro can execute potential malware in a sandbox environment to analyze the behavior. SAP Enterprise Threat Detection is tracking the information flow in the business systems, which are in fact the end target of the attack. The solution monitors transaction behavior, add business context information, monitors the audit log (there are much more sources available).
In the end, both solutions provide the IT security team the insight on the infrastructure level and on application/business level to enable to right actions.
What is Trend Micro Deep Discovery in detail?
Trend Micro Deep Discovery is an advanced threat protection platform that enables you to detect, analyze, and respond to today’s stealthy, targeted attacks. Using specialized detection engines, custom sandboxing, and global threat intelligence from the Trend Micro Smart Protection Network, Deep Discovery defends against attacks that are invisible to standard security products.
Deployed individually or as an integrated solution, Deep Discovery solutions for network, email, endpoint, and integrated protection provide advanced threat protection where it matters most to your organization.
Trend Micro Deep Discovery Inspector is a network appliance that monitors traffic across all ports and more than 100+ protocols. Using specialized detection engines and custom sandboxing, it identifies the malware, C&C, and activities signaling an attempted attack. Detection intelligence aids your rapid response.
This is how Deep Discovery Inspector detects attacks & threats and how it reacts (basic overview):
How to integrate Trend Micro Deep Discovery with SAP Enterprise Threat Detection on a technical level
Below a screenshot of Trend Micro Deep Discovery. The solution found a suspicious activity (targeted attack detection) on a PC of an employee. There is one host involved. The goal is now automatically send the information to SAP Enterprise Threat Detection, to raise the sensitivity of the system for all events in relation to the host or to provide the security team the possibility to identify any potential harm in the business landscape.
It is easy to configure Trend Micro Deep Discovery to send alerts to other systems. The goal is now to enable SAP Enterprise Threat Detection to understand the CEF messages from Trend Micro.
To be useful in SAP Enterprise Threat Detection, the information from Deep Discovery must be normalized, so that it can be used in the forensic lab. This is where threats are analyzed and attack detection patterns are created.
The Common Event Format (CEF) is one of the syslog formats that Deep Discovery Inspector supports to enable integration with third-party systems. Referring to the Trend Micro Syslog Content Mapping Guide we can see an example of what this looks like in the CEF Threat Log:
CEF:0|Trend Micro|Deep Discovery Inspector|3.8.1175|20|Malware URL requested – Type 1|6|act=10 .201.156.143 dvcmac=00:0C:29:A6:53:0C dvchost=ddi38-143 deviceExternalId=6B593E17AFB7-40FBBB28-A4CE-0462-A536 rt=Mar 09 2015 11:58:25 GMT+08:00 app=HTTP deviceDirection=1 dhost=www.freewebs.com dst=18.104.22.168 dpt=80 dmac=00:1b:21:35:8b:98 shost=172.16.1.197 src=172.16.1.197 spt=12121 smac=fe:ed:be:ef:5a:c6 cs3Label=HostName_Ext cs3=www.freewebs.com fname=setting.doc fileType=0 fsize=0 act=not blocked cn3Label=Threat Type cn3=1 destinationTranslatedAddress=22.214.171.124 sourceTranslatedAddress=172.16.1.197 cnt=1 cs5Label=CCCA_DetectionSource cs5=GLOBAL_INTELLIGENCE cn1Label=CCCA_Detection cn1=1 cat=Callback cs6Label=pAttackPhase cs6=Command and Control Communication
What needs to be done to integrate the products?
- Import the Trend Micro ESP example project which is delivered with SAP Enterprise Threat Detection 1.0 SP3
- Configure the SAP ESP project and execute it
- Test the integration and some troubleshooting tips
Deep Discovery Inspector will send critical alerts in the CEF format to SAP Event Stream Processor (ESP). The software solution is part of SAP Enterprise Threat Detection (ETD). ESP will then map the format from Trend Micro to the format of SAP Enterprise Threat Detection and send it directly to the SAP HANA database (ETD running on SAP HANA).
The SAP Enterprise Threat Detection installation package (HCO_SECURITY_MON.tgz), which you downloaded from the SAP Service Marketplace (http://service.sap.com/), also contains the Trend Micro example project for SAP ESP.
Now we have to import this project to SAP ESP. Please open your SAP ESP studio and change to the ESP authoring perspective. Please import the Trend Micro file.
On the picture below you can see the structure of the Trend Micro project. There is a “Socket_Input”, which is a TCP/IP socket, since Trend Micro will send the data via TCP/IP. The next box is “InputStream”, which is handling incoming data streams. “Parse data” take care about the mapping of the data to SAP ETD. The output stream will be send to the standard SAP ESP project transfer_log_events to reuse the standard functionality.
Please provide first the information about your ESP cluster:
Please ensure correct binding in the Trend Micro project. See next picture.
On the parameter tab, you can find the TCP/IP information required by Trend Micro.
Now you can run the Trend Micro project on your SAP ESP server (local or on the productive server)
You can test it now manually to ensure everything works. Please change the perspective to “ESP Run” in the SAP ESP studio. Click on the input stream and choose “Select the Stream for Manual Input”.
You can paste a test string into the text input field and use the string below. Please adjust the time settings.
CEF:0|Trend Micro|Deep Discovery Inspector|3.8.1175|20|Malware URL requested – Type 1|6|act=10 .201.156.143 dvcmac=00:0C:29:A6:53:0C dvchost=ddi38-143 deviceExternalId=6B593E17AFB7-40FBBB28-A4CE-0462-A536 rt=May 27 2016 10:58:25 GMT+02:00 app=HTTP deviceDirection=1 dhost=www.freewebs.com dst=126.96.36.199 dpt=80 dmac=00:1b:21:35:8b:98 shost=172.16.1.197 src=172.16.1.197 spt=12121 smac=fe:ed:be:ef:5a:c6 cs3Label=HostName_Ext cs3=www.freewebs.com fname=setting.doc fileType=0 fsize=0 act=not blocked cn3Label=Threat Type cn3=1 destinationTranslatedAddress=188.8.131.52 sourceTranslatedAddress=172.16.1.197 cnt=1 cs5Label=CCCA_DetectionSource cs5=GLOBAL_INTELLIGENCE cn1Label=CCCA_Detection cn1=1 cat=Callback cs6Label=pAttackPhase cs6=Command and Control Communication
Let us check now the SAP Enterprise Threat Detection user interface (forensic lab). We can see a new Trend Micro log type, which indicates that data was received.
You can combine now the intelligence of Trend Micro with SAP Enterprise Threat detection.