12 Days of AppsMas: SAP Security: 4 Steps to Respond to a Ransomware Attack

Ransomware groups continue to keep organizations on their toes and they’re not slowing down for the holidays. A joint alert from Cybersecurity and Infrastructure Security Agency (CISA) and the FBI shares that cybercriminals have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months. The German Bundesamt für Sicherheit in der Information- stechnik (BSI) also issued warnings about ransomware attacks during the next few weeks. In our last blog, we went over 10 proactive steps organizations can take to prepare for a ransomware attack. Today, we’ll jump into the steps to take should your organization fall victim to a ransomware attack.

For more on how to mitigate the threat of ransomware to your SAP applications and up-leveling your SAP security, read our whitepaper or watch our on-demand session with SAP CISO, Richard Puckett and Onapsis CEO Mariano Nunez.

If an organization experiences business disruption from what could be a ransomware incident, it’s important to follow the business continuity plan (BCP) and incident response (IR) runbooks already established. Organizations should also work closely with government agencies and CERT organizations like Cybersecurity and Infrastructure Security Agency (CISA) in the United States or the German Bundesamt für Sicherheit in der Information- stechnik (BSI). These organizations can offer knowledge, assistance, and lessons learned from other incidents they have encountered.  

To minimize impact of an attack, the business incident response plan should be fully vetted, with a pre-defined, cross-functional response team with identified key leaders across IT, finance, legal, and communications as well as scenario runbooks with clear deliverables. Organizations should also consider having third-party recovery service teams on standby should a ransomware event occur. When the time comes for action, an organization’s incident response should incorporate, at a minimum, the following steps: 

1. Identify which systems were affected

Scope to identify which systems were affected to see whether those compromised systems can be isolated. If the systems can be isolated, then isolate them immediately to prevent incoming and outgoing connections, preventing lateral movement of the initial infection. If systems cannot be isolated, refer to the BCP that incorporates the business processes supported by the affected systems, fall back to the backup process, and power off the affected systems. 

2. Evaluate affected systems

Evaluate the affected systems to identify their optimal restoration and recovery processes. 

3. Prepare an initial assessment

Prepare an initial assessment of the facts that were captured during the initial reconnaissance and analysis. Internal and external teams — such as the SAP Basis team who are responsible for keeping the SAP landscape healthy and up to date, the security operations team, or the third-party incident response team — identified in the BCP should be activated to provide further context and insights into the attack across the IT landscape. 

4. Leverage forensic techniques

If the systems cannot be recovered initially, leverage traditional forensic techniques in order to capture as much system evidence as possible. This should include a system image, a system memory dump, whenever possible, and images or logfiles of affected devices. For SAP applications that are part of scope, organizations must be able to fully assess the history of what happened at the application layer, as it’s vital to consolidate information coming from the diverse application logs as well as from the database itself. Furthermore, this consolidation should also consider the context of SAP applications in order to be impactful and actionable in the event of a response. 

Ransomware is constantly evolving and is becoming increasingly lucrative for cybercriminals. These threat actors have the means and will to exploit critical vulnerabilities, running malicious software through unpatched, unprotected SAP application layers. To protect your most critical business applications and avoid being a victim of ransomware this holiday season and the future, SAP and Onapsis recommend that organizations follow the steps outlined in our joint whitepaper and on-demand session with SAP CISO, Richard Puckett and Onapsis CEO Mariano Nunez.
 

More SAP Security Resources

More 12 Days of AppsMas Blogs