Threat Modeling in SAP Landscape
SAP servers are often connected to each other to facilitate communication and transfer of data between systems. This interconnectivity allows for the seamless exchange of information, making it easier to manage business processes and decision-making across the organization. For example, an SAP production server may be connected to a test server to allow for the transfer of data and testing of new updates and configurations. Additionally, a central SAP server may be connected to multiple satellite servers in different locations to allow for central management and coordination of operations.
However, these connections can also present security risks if not properly managed. Attackers can exploit these connections to move laterally within the network, potentially compromising additional systems without exploiting vulnerabilities (please read about the remote login functionality example). This highlights the importance of proper management and secure configuration of these connections, which is where the Threat Modeling module of the RedRays Security Platform V1 comes into play.
The Threat Modeling module of the RedRays Security Platform V1 is designed to help security administrators identify and manage internal connections between SAP systems. This feature is crucial in protecting against attackers who could exploit these connections to move laterally within a network and compromise additional systems.
The module extracts internal connections between SAP systems and generates an SAP Risk Map, which highlights potential areas of concern. The map allows users to take appropriate measures to manage or remove these connections or monitor for malicious activity.
The Threat Modeling module of the RedRays Security Platform V1 supports the following internal connections between SAP systems:
- Type_H = HTTP Connection to an SAP System
- Type_G = HTTP Connection to External Server
- Type_3 = ABAP_Connections
- Type_L = Logical Destination
- Type_W = Websocket RFC Destination
These different types of connections are analyzed and displayed on the SAP Risk Map.
Threat modeling in combination with the Vulnerability Assessment module is a powerful tool for SAP security specialists. The Vulnerability Assessment module provides a comprehensive analysis of the security posture of SAP systems, identifying potential vulnerabilities and areas of concern. The results of the security audit are then transferred to the Threat Modeling module, which builds an SAP Risk Map based on the internal connections and existing vulnerabilities between systems. This map highlights in red the connections that could potentially be compromised, providing a visual representation of the risk and allowing security administrators to quickly identify areas of concern.
This tool provides a powerful and effective way to assess and manage risk within SAP systems, making it an essential tool for SAP security specialists. The integration of the Vulnerability Assessment module and Threat Modeling module provides a comprehensive and holistic approach to SAP security, ensuring that organizations can effectively manage risk and maintain the security of their SAP systems.
On the map below, you can see that there are a few SAP servers that are connected to each other.
The red one is an SAP where RedRays Security Platform is identified as a high vulnerability. And compromising the server 22.214.171.124, an attacker could extract and decrypt passwords for the following sap servers, in particular, the password for 10.10.100.48
After jumping to the 10.10.100.48 server, an attacker could compromise the server for example, 126.96.36.199
Is there a particular reason, why Type_T destinations are not supported? At a Type_T destination, a middleware server such as SAP PI/PO or SAP Business Connector might be connected. (Of course, Type_T destinations do not contain logon credentials. Authentication on the middleware system is performed based on the current SAP user on ABAP side, or using SNC or assertion ticket. So don't know, what could be done here in order to attack such a destination?!)
Thank you for the feedback and question.
For the type T we have some research, we are on the way to deploying and implementing 🙂