Skip to content

The difference between internal and external sap attackers

SAP Cybersecurity Risks

Recently, we gave an insight into the known SAP attackers in our blog. Of course, it can already be deduced from this that there are internal and external SAP attackers. That is why today, we want to look at this from an SAP cybersecurity risk perspective.  

Even today, experts agree that the greatest threat comes from phishing and ransomware. The attack on Continental clearly illustrates this. But not only renowned industry leaders such as the automotive supplier Continental are affected. Every company is affected, even if the press does not report cyber incidents at a medium-sized company to the same extent as at Continental.  

Phishing targets the human component, such as an unknowing employee who doesn’t realize he has been tricked by an email. So, is this an external or internal SAP risk? What is the view when it comes to SAP application security? 

External SAP Cybersecurity Risk

Answering the question, we should first classify and define what an external risk is. At this point, we will move away from the example of phishing and focus on a specific SAP vulnerability that caused a furor in February 2022. We’re talking about the HTTP Smuggling Vulnerability, ICMAD (Internet Communication Manager Advanced Desync), identified as CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533 for the SAP Web Dispatcher, which you can patch with the Security Notes 3123396 and 3123427.  

This example seems appropriate because the affected component, SAP Web Dispatcher, is often used as a proxy between the SAP application and insecure networks. In this application scenario, there is a risk of infiltration by an external attacker outside the corporate network.  

In the case of this vulnerability, which is accessible from the outside, we could classify it as an external risk. This type of risk is attacked by special attackers. For this, we recommend reading the article “Who are the typical SAP attackers.” 

How should the SAP risk be rated?

Our SAP vulnerability example ICMAD was assessed using the standardized CVS scoring procedure with a 10.0 (Very High) score. This assessment measures vulnerabilities with a score of 1.0 (low) to 10.0 (very high). The score is not rolled off the dice but determined based on the scoring procedure. However, such a rating system also has weaknesses, which become clear when we compare this rating with the rating provided by the Threat Intelligence company Mandiant. Mandiant is a leader in Threat Intelligence and uses real attack information to evaluate vulnerabilities. The experts contradict the CVSS assessment in that they downgrade the SAP risk to “high” since no exploitation has so far become known. 

Internal SAP Cybersecurity Risk

In the application security area, it is also possible that an insider attack will occur. This type can account for the category of internal cybersecurity risks. Among other things, this includes data theft, malicious manipulation of business information, etc.  

It is unimaginable that employees of one’s own company suddenly turn against their employer. This is mostly not the case. The term “social engineering” describes techniques, tactics, and procedures used to make an innocent employee perform harmful actions. In simple terms, it is enough for the employee to open the door to the attacker. It is precisely these risks that are often difficult to identify and contain. Besides, you do not want to apply general suspicion to every employee. 

Analyzing application logs is usually the best method of detecting insider exploits. This is not easy in the case of SAP applications because there are many different logs.  

Monitoring the most important SAP S/4HANA logs is the only way to detect fraud and malicious manipulation. How fast you react to this depends on whether there are automatic notifications or if you manually and periodically monitor and evaluate. The risk you attribute to corresponding log items is very individual and depends on many factors.  

We have already described how to detect anomalies in another article. To learn more about it, click here

So, which one is worse?

Both are equally devastating, but it depends on the nature of the industry and how the information gets leaked. Arguably, internal hacks could pose a greater threat than external ones. It can be devastating to a company’s profits and reputation if an employee sells SAP HANA secrets to a competitor or defaces its web portal (website, eCommerce, etc.). External hackers usually look for information they can sell or use for profit. Consequently, external hacks could have more monetary impact if a hacker gains access to your network or software, hides valuable information, and demands a ransom. 

Posted by

Ivan Mans

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.