Picture this.

You’re wrapping up typical month-end closing work as an SAP systems administrator, a series of tasks you’ve done a thousand times.

Just as you’re about to put on the finishing touches, this run-of-the-mill routine becomes anything but. Your SAP security systems notify you of unauthorized access to change a vendor in the vendor master and start posting manual payments within your environment.

This moment and the ensuing 24 hours are absolutely critical. It’s a stretch of time that will determine whether your organization successfully mitigates this security breach or becomes the latest statistic in a long line of costly hacks. These few short hours could make a multimillion-dollar difference.

The Initial Response

So how do you make the most of those first 24 hours, to stave off the unthinkable? Let’s go through the process, step-by-step.

Alert Validation

The very first thing you need to do during an SAP security incident response is determine whether the threat is real. False positives are common in SAP security, thanks to the often-customized nature of the software and to bad user practice. This is an issue in and of itself. False positives can have a numbing effect, causing administrators to neglect alerts that require attention and care.

This alert fatigue is just as dangerous as a breach. A careless approach is never best practice in SAP security, no matter how often your system is alerting you to benign events. That means you need to take all alerts seriously.

  1. Validation: Examine the context of the alert—the affected system, user accounts, business processes, etc. For example, if your system alerts you to multiple failed login attempts to a privileged account, you should verify the location and time of those attempts and compare them to the location and schedule of the account owner. An important note, gather information from outside the SAP systems as well.
  2. Assessment checklist: Evaluate key questions related to the incident alert: Did the event that triggered the alert occur outside of normal business hours? Does it align with change management windows? Are there corresponding approved change requests?
  3. Initial severity determination: Identify the system(s) and tables that have been affected.
  4. Business impact evaluation: Determine whether sensitive data has been compromised.

Immediate Actions

Once an alert has been validated as real, your SAP security incident response must shift into high gear. Having successfully penetrated an environment, hackers can breach further, gaining access to more sensitive data. The speed and efficiency of your response is paramount.

Follow this process for taking immediate action.

  1. Account suspension: Execute your account suspension protocols carefully. For example, if a privileged account is involved in the incident, you must ensure backup admin access remains available throughout the duration of that privileged account’s suspension.
  2. Evidence preservation: Before implementing any changes, be sure to capture system logs, transaction records, and user activity data.
  3. Initial containment: Take measures to mitigate the breach, like blocking suspicious IP addresses, disabling compromised user accounts, and restricting access to affected systems.
  4. Emergency communications: Follow your established protocols to notify key stakeholders while maintaining confidentiality in order to prevent hackers from learning they’ve been detected.

Investigation & Analysis

You’ve identified the issue and taken the initial steps toward remediation. The next phase of your SAP security incident response is about drilling down to the details.

Forensic Data Collection

SAP systems are complex environments, and that should work in your favor here. The software keeps extensive logging data, which will be invaluable to you as you attempt to figure out the nature of the breach and how to rectify it.

Mine the following information from your SAP environment to kickstart these efforts.

  1. Security audit logs: Look to see what user activities, system access attempts, and changes were made to security settings that may be impacting the incident.
  2. System change logs: Examine this record of modifications made to SAP objects, configurations, as well as system customizations.
  3. Table/Document Change Logs: Determine which tables, documents, and other data was affected
  4. Transaction records: Determine which business processes were accessed and what actions were performed.
  5. Create a user activity timeline: Since hackers often leverage multiple systems and interfaces, SAP security administrators need to correlate activities across systems to learn the full scope of the incident. A user activity timeline helps you to see the breach holistically. Be sure to examine RFC connections, interface traffic, and batch job execution logs.

It’s easy to be overwhelmed by all the data in the SAP systems log, especially when you’re in a time-sensitive, emergency situation.

Threat Assessment

Now that you’re armed with evidence and data, it’s time to determine the severity of the SAP security incident.

  1. Identify attack vectors: Hackers commonly exploit vulnerabilities in custom ABAP code, misconfigurations in SAP gateway settings, and weaknesses in transport management. Understanding those approaches will help you in your SAP security incident response.
  2. Determine scope: Building on what you’ve ascertained about attack vectors, investigate whether your attacker(s) moved laterally through your SAP environment, potentially through trusted RFC connections or compromised service accounts.
  3. Evaluate data exposure: Review table access logs, transaction usage, and authorization modifications. You must also examine critical tables containing sensitive business data, customization settings, and user management information.
  4. Assess impact: Reviewing what you’ve learned over the first three steps will help you draw conclusions on the overall impact of the breach.

Containment & Control

With your initial response in place and having figured out exactly what you’re dealing with, this is the point at which your SAP security incident response mitigates the attack.

System Lockdown

Implementing containment measures in SAP systems should be done carefully with balance. Moving swiftly is important, but don’t let that urgency cause a misstep. There is such a thing as overdoing it, which could harm business functions.

  1. Block transport routes: Do this to prevent unauthorized changes.
  2. Emergency access control changes: Your protocols here should follow the principle of least privilege, temporarily reducing authorizations while maintaining essential business functions.
  3. Manage system connections: Critical transaction suspension may be necessary, but careful consideration must be made about the overall impact to the business. For example, suspending financial posting transactions during month-end closing could severely hinder operations.
  4. Isolate affected systems: This should account for system dependencies and interface requirements to prevent unintended disruptions.

Business Continuity

When you’ve suffered a SAP security attack, you have a difficult needle to thread: Enacting an effective response without hampering the organization’s business. To do this, you must have predetermined alternative approaches at the ready.

These are temporary process workarounds, and they should:

  • Maintain critical business operations: Reduce system access while keeping essential business processes in place. For example, implement manual approval processes or temporary interface bypasses.
  • Manage stakeholder expectations: Keep communication open and clear. Explain in simple terms the nature of the security situation, the impact to the business, and the estimated resolution time, all the while maintaining security confidentiality.

Remediation & Recovery

Having contained and limited the attack, the next stage of your SAP security incident response is to undo what’s been done. Here’s how.

System Cleanup

You’ll have to reprise the carefulness with which you locked the system down when you clean up after a hacker. Remember that there are no shortcuts. And now, with your containment and control measures in place, you don’t have to be as rushed. You’ll still want to move swiftly to accomplish the following.

  1. Reverse system changes: Identify and revert unauthorized modifications to custom code and authorization data.
  2. Reverse secure configurations: Identify and revert unauthorized modifications to configuration settings, following a documented baseline to ensure security parameters are properly reset across the SAP environment.
  3. Recertify user access: Review and revalidate all user authorizations, particularly focusing on privileged accounts and emergency access procedures.
  4. Verify security settings: Ensure all security parameters, including profile parameters and kernel settings, align with your organization’s standards.

Service Restoration

Bringing your SAP environment back to 100% should be an exhaustive process. You must check not only technical components but also business process configurations. A phased restoration should follow a predetermined sequence, starting with essential business functions and gradually expanding to full operations.

We recommend addressing:

  • Systematic verification of system integrity
  • Coordinated access restoration procedures
  • Controlled reactivation of business processes
  • Monitoring for potential incident recurrence

Post-Incident Activities

You’ve successfully identified the issue(s), repelled the attack, and brought your SAP landscape back online to 100%. At last, you can finally breathe a sigh of relief.

But the work isn’t done.

In fact, what comes next is arguably the most important facet of SAP security incident response. Why? Because you absolutely must learn from the attack. It’s an opportunity to improve your defenses, so that your organization isn’t put in this position again.

Your post event game plan should include the following activities:

Documentation & Analysis

  1. Create detailed timelines of the incident and response: Document every action taken during the incident from detection to resolution, including timestamps and responsible personnel, to have a comprehensive incident timeline.
  2. Conduct thorough root cause analysis: Investigate and outline the underlying causes of the incident to understand how and why the breach occurred and to prevent future occurrences.
  3. Map the attack chain across your different SAP systems: Trace the attacker’s path through your network to identify compromised systems and understand the sequence of events during the attack.
  4. Identify and address control gaps: Pinpoint deficiencies in your security controls that allowed the attack to succeed and take corrective actions to strengthen these areas.

But the work isn’t quite done. In fact, what comes next is arguably the most important facet of SAP security incident response. Why? Because you absolutely must learn from the attack. It’s an opportunity to improve your defenses so that your organization isn’t put in this position again. Your post-event game plan should also include an evaluation and enhancement to your existing processes:

Process Enhancement

  1. Update response procedures based on lessons learned: Review the incident response process and integrate adjustments and improvements based on the insights gained from the recent attack. This ensures that future responses are more effective and efficient.
  2. Refine detection rules to prevent similar incidents: Analyze the attack patterns and techniques used in the breach to fine-tune your detection rules. This helps in identifying and mitigating similar threats promptly in the future.
  3. Enhance monitoring capabilities across your SAP environment: Augment your existing monitoring tools and practices to cover more aspects of your SAP systems. This can include increasing the frequency of log reviews, deploying advanced analytics, and using machine learning to detect anomalies.
  4. Develop targeted training programs: Create focused training sessions for your team based on the weaknesses and gaps identified during the incident. This can involve simulated attack scenarios, workshops on new security measures, and regular drills to keep the team prepared.

Building Organizational Readiness

No matter how talented and knowledgeable you and your team may be, your SAP security incident response will not be effective without a well-researched and well-rehearsed plan. After all, hackers are constantly innovating, devising creative new ways to penetrate SAP systems. That means you as an SAP security professional need to be just as—if not more—industrious.

Response Team Structure

It goes without saying that your organization must have a group dedicated to handling SAP attacks. But the specifics of that group and how it’s broken down are vital to its success.

Your SAP security incident response team should have:

  • Clearly defined roles and responsibilities
  • Established escalation paths with contact information
  • Communication protocols for different stakeholder groups
  • Cross-team coordination procedures

Playbook Development

Just as important as an intentionally designed team is an SAP incident response playbook. This resource serves as your organization’s lodestar, informing the who, what, where, when, why, and how of SAP security incident response.

It should include:

  • Templates for common incident types
  • Decision trees for responses for various scenarios
  • Communication flowcharts for stakeholder engagement
  • Recovery checklists tailored to SAP systems

Just as with sports, teams and playbooks aren’t very successful without practice. The same is true for teams and playbooks in SAP security incident response. In addition to everything we’ve already covered here, your organization should be regularly simulating SAP security attacks to build familiarity and continuity with your plans, procedures, and protocols. As the old saying goes: Practice makes perfect.

Remember, SAP Security Preparedness Is Neverending

No matter the circumstances, there’s no such thing as guaranteed cybersecurity. That’s especially true for SAP, a software made for the sake of collaboration and therefore inherent with vulnerabilities by way of greater points of access. Hackers target SAP environments for this very reason. And now with greater adoption of the cloud, SAP’s security vulnerabilities are growing.

That means you must use every resource at your disposal to safeguard your organization’s SAP systems. You need the fundamentals of a solid SAP security plan, robust monitoring, as well as a roadmap for the future.

You need a meticulous incident response program, too. And what would take that program to the next level is an industry-leading partner who specializes in SAP security. That’s NO MONKEY. Our SAP Security Advisory supports each phase of incident response:

  • Expert guidance during initial response
  • Forensic analysis support
  • Containment strategy assistance
  • Recover planning support
  • Help developing and enhancing response procedures

Whether you’re trying to strengthen your SAP security incident response or building it from the ground up, NO MONKEY has the expertise and experience to help your organization meet the demands of the moment and prepare for the future.