Incident Response and SAP Systems presented at Troopers 2015

by Juan Perez-etchegoyen, Sergio Abraham,

Summary : While cyber attacks are increasing every year, SAP systems are still not immune to being targeted by attackers and being involved in IT security incidents. Incident response and forensics analysis are complex tasks, especially when performed on systems that are not only diverse in terms of products, versions, operating systems and databases, but also in the big customisation layer that SAP systems have.
In these scenarios, identifying and tracking down potentially malicious activities can be extremely challenging if you are not prepared for it. Indications and evidence of attacks are stored in diverse places. Join us on this talk to get an overview of what steps to take after a breach to a SAP system was detected, discussing about important concepts such as relevant files and tables, memory dumping, disk images, evidence, chain of custody and many other terms that you need to be aware of if you ever face an incident within your SAP implementation.
Finally, examples of real-life attacks will be shown going through the incident response procedure and showing how to identify what really happened on the SAP systems.