As digital transformation accelerates across industries, cybercriminals are becoming more sophisticated and opportunistic. The growing reliance on interconnected systems has opened new avenues for exploitation, and threat actors are adapting quickly to take advantage.

That’s why strong security measures are more critical than ever, especially for organizations running SAP. In fact, ransomware attacks targeting SAP systems have jumped over four times in recent years, according to a recent report.

This makes it essential to constantly review and strengthen your defenses—your systems, protocols, and processes all need to be current. But here’s the catch: staying informed on the latest trends isn’t always enough. Just because you’re aware of threats doesn’t mean your SAP environment is truly secure. It’s risky to sit back and wait for your security tools to raise the alarm. Instead, you need to proactively hunt for sophisticated threats before they find you.

SAP Threat-Hunting Framework

At NO MONKEY, we’ve put together a framework to help you implement a proactive approach to SAP security at your organization. Whether you’re starting from scratch or looking to improve on an already-robust approach, this plan covers the concepts integral to ensuring your security is aggressively searching for breaches.

Objectives of an Optimal Threat-Hunting Framework

The ideal proactive SAP security plan accomplishes four key things.

  1. Identify and mitigate threats, that include but are not limited to:
    • Insider threats
    • Privilege misuse
    • Unauthorized access
  1. Detect advanced persistent threats (APTs) that specifically exploit SAP vulnerabilities
  1. Prevent:
    • Data exfiltration
    • Unauthorized remote function calls (RFCs)
    • Business process abuse
  1. Enhance:
    • Threat intelligence
    • Response automation

NO MONKEY ADVISORY makes for an exponential upgrade to any SAP threat-hunting framework. We help organizations like yours through every facet of SAP security with customized support from some of the best minds in the industry.

Threat-Hunting Methodology

Now that we’ve established what we need to accomplish, let’s define the path forward. Your threat-hunting SAP security plan should encompass these four pillars:

  1. Define Hunting Hypothesis: Establish a focused assumption about potential threats or suspicious behavior within your SAP landscape, based on intelligence, trends, or known vulnerabilities.
    Note: While there are a variety of ways to approach this, organizations can distinguish their hypothesis once your SAP security is in a mature state.
  2. Data Collection: Gather relevant information, metrics, and tools that can support your hypothesis, such as SAP security audit logs, network traffic, and endpoint telemetry.
  3. Investigation and Analysis: Leverage advanced techniques, like data analysis and correlation, anomaly detection, and forensic analysis.
  4. Threat Validation and Response: Confirm your findings, document tactics, techniques, and procedures (TTPs), and deploy NO MONKEY’s tailored mitigation strategies for your organization.
  5. Continuous Improvement: Remain vigilant by integrating what you learn to update your threat-hunting techniques.

Hunting Scenarios and Techniques

Your SAP threat-hunting action begins with the four fundamental questions of what, where, how, and when, which are formulated then answered based on your initial hypothesis.

  • What am I hunting for?
  • Where will I find it?
  • How will I find it?
  • When will I find it?

It’s a good idea to take the SMART approach to these foundational questions, ensuring that your endeavors are:

  • Specific
  • Measurable
  • Achievable
  • Relevant
  • Time-bound

Now let’s get into what to look for and what action to take.

Privilege Escalation and Unauthorized Access

Two of the most common eyebrow-raisers when it comes to proactive SAP security involve suddenly heightened access. There are usually two big indicators:

  • Users accessing high-privilege transactions they’ve never used before
  • Multiple failed login attempts followed by a successful one

Leverage the following three procedures to detect them:

  • Log Sources: Data like SAP security audit logs (SM20), business transaction analysis (STAD), user and authorization reports (SUIM), network logs, and endpoint logs. You’ll need to correlate logs with other network components—web dispatcher, firewall, routers, endpoints, etc.—to eliminate false positives.
  • Hunting Query: Identify accounts that have gained new admin privileges within the past 30 days.
  • Mitigation: Implement role-based access control (RBAC), review user change logs, enforce single sign-on (SSO), and follow your organization’s best practices.

SAP RFC (Remote Function Call) Exploitation

SAP’s greatest strength, ironically, is also its greatest weakness. With so many systems interconnected and communicating, both internally and externally, it’s a vulnerable technology by its very nature. That’s what makes SAP such an enticing and popular target for hackers.

Remote Function Calls are commonly attacked because of that inherent weakness. RFCs are standard SAP infrastructure that facilitate communication between different systems. Things to look for to indicate they’re under attack include:

  • Unusual RFC calls from external or blacklisted IPs
  • Large amounts of data being transferred via RFC
  • Unexpected changes in RFC trusted connections

Here’s how to spot RFC exploitation:

  • Log Sources: Pay attention to SAP gateway logs, security audit logs, network logs, and web dispatcher logs.
  • Hunting Query: Identify RFC connections made by unauthorized users, programs, and/or systems.
  • Mitigation: Restrict RFC communication to whitelisted IPs, disable unnecessary RFCs, and tap into NO MONKEY’s advisory services to strengthen your RFC security.

Suspicious ABAP Code Execution and Backdoors

Another hallmark of SAP is its customization, empowering organizations to fit it to their unique needs. This, too, creates openings that cyber-attackers often try to exploit.

Advanced Business Application Programming (ABAP) is SAP’s secret sauce. It’s the technology’s proprietary programming code that makes the customization SAP is known for possible. ABAP threat indicators include:

  • Execution of unauthorized ABAP programs
  • Modifications to critical SAP tables without validating user input
  • Suspicious scripts in SAP transport requests

To catch an incursion to your SAP systems’ ABAP, keep an eye on the following:

  • Log Sources: Security audit logs, table logging or consistency checks, as well as transport logs.
  • Hunting Query: Code analysis to identify vulnerabilities in custom programs/namespaces and 3rd party extensions and integrations.
  • Mitigation: Implement code review policies, enforce strict transport controls, and conduct regular audits using.

Business Process Fraud and Data Exfiltration

Hackers are known to alter details within an SAP environment’s business processes for their gain. Called business process fraud, this includes instances where payments are directed away from a legitimate destination to a hacker.

Signs of business process fraud and data exfiltration are:

  • Mass exports of financial, HR, or customer data
  • Unusual transaction approvals from unauthorized users
  • Data being sent to external email addresses or storage locations

You can spot this activity through:

  • Log Sources: These include business transaction analysis, security audit logs, read access logs, network traffic logs, DLP logs, host logs, database logs, table change logs.
  • Hunting Query: Identify bulk data exports performed outside of normal user behaviors.
  • Mitigation: Implement data loss prevention (DLP) tools, restrict table-editing transactions, and implement real-time alerts on large data movements.

Insider Threats and Anomalous Behavior

Unfortunately, you must also be vigilant against attack from within. Insider threats are perhaps easier to identify because you have access to data showcasing typical behavior. Anything that falls outside of that is characterized as anomalous and should be regarded as suspicious.

Things to be on the lookout for include:

  • Employees accessing SAP modules unrelated to their roles
  • High-privileged users executing transactions for the first time
  • Users logging in from unusual locations and/or devices

You can better detect internal advanced threats and anomalous behavior by:

  • Log Sources: User entity behavior analytics (UEBA), business transaction analysis, security audit logs.
  • Hunting Query: Detect users accessing critical transactions outside of their roles.
  • Mitigation: Implement least-privilege access policies and enable session monitoring.

Advanced Threat-Hunting Techniques

Once you’ve checked all of that off your SAP threat-hunting list, you’re ready to shift into the next gear. The following practices require more legwork knowhow, but they’re also critical to stay in front of today’s innovative cyber attackers.

Network and DNS Traffic Analysis

Keeping tabs on your network is a sound way to find anything untoward. Here’s how to do it:

  • Monitor SAP network traffic for large outbound data transfers
  • Detect unusual DNS queries linked to data exfiltration
  • Apply network segmentation

SAP Honeypots and Deception Techniques

Some of the best hunting is facilitated by bait. SAP threat-hunting is no different.

Leverage honeypots to induce hackers into outing themselves. Honeypots serve as dummy environments that trick fraudsters into stepping into the light. Unlike other proactive techniques, though, honeypots are particularly useful in detecting possible threats before they become a problem. Make use of them and the following deceptions:

  • Deploy fake privileged accounts to identify attackers attempting lateral movement – watch out for license utilization!
  • Implement decoy RFC connections to trap unauthorized accessors
  • Use HoneySAP to deploy application servers

Machine Learning for Threat Detection

Artificial intelligence is being integrated in technologies across all industries to improve efficiency and effectiveness. It’s no different with SAP security.

You can leverage machine learning—a form of AI—to proactively detect advanced threats. Here’s how:

  • Train unsupervised machine learning models to detect deviations in SAP user behavior.
  • Train models to detect attack vectors based on attack scenarios and intelligence sources such as Mitre ATT&CK repositories.

Ready to Level Up Your Proactive SAP Threat Hunting?

By following the framework we’ve laid out, you’ll be off to a solid start in taking the fight to would-be attacks against your organization’s SAP environment. The next step would be to enlist the efforts of experts. And that’s where we come in.

NO MONKEY ADVISORY has the experience and expertise to help you deliver your organization the best protection. We’ll work with you to develop a customized threat-hunting plan, complete with processes, protocols, and best practices. We’ll also be there in real time to offer support and advice.

And going even further, NO MONKEY also assists your organization with monitoring and incident response. We work hand-in-hand with you to craft comprehensive, tailor-made plans specific to your unique needs. You get a best-in-class partner in all things SAP security.

The threats out there are only growing. Hackers are doing their best to solve your defenses, constantly innovating creative new ways to attack your SAP systems. Can you afford to take the risk that comes with not doing all you can to protect your organization? Don’t take that chance. Make your SAP security the best it can be with NO MONKEY ADVISORY.