limkedin Skip to main content

Why detecting ports scans against SAP systems is important

Prevent further damage to your organisation at an early stage 


Port scans against your SAP systems are an early sign intruders might be targeting you. Detecting these port scans help you detect intruders at an early stage and stop further damage, minimizing further breaches and possible costs.  

What is port scanning? 

According to Wikipedia “a port scan  is a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port; this is not a nefarious process in and of itself.[1] The majority of uses of a port scan are not attacks, but rather simple probes to determine services available on a remote machine.”.  

And while port scanning can be a common system administration activity, it should be monitored, since port scans are also used by attackers. 

Why is port scanning a potential security problem?  

Port scanning itself does not directly give access to an SAP system but is done by attackers for reconnaissance purposes to learn more about the setup and layout of the network and its services. It is a first step towards a potentially fully breached SAP landscape. To map the steps that adversaries must complete in order to achieve their objective, Lockheed Martin came up with the cyber kill chain

image - Why detecting ports scans against SAP systems is important

As can be seen from the model, a first step adversaries take is the reconnaissance part, where port scans are a part of. This is interesting since the sooner you detect a port scan, the bigger the chance you can prevent further damage and costs. Therefore, it is important to take detect port scans seriously. 

How to detect port scans against the RFC Gateway? 

The RFC Gateway is a critical component when it comes to the security of your SAP systems and we have other use cases to help detect attacks against this component. With the latest Protect4S SAP Threat Detection Support Package solution, a use case was added to be able to detect port scans on the RFC Gateway. This group of port scan use cases will be extended over time to detect port scans on other SAP infrastructure components too. For this first use case the RFC Gateway log data source is used to extract events and determine if a port scan is taking place. If a port scan is detected, additional information like the source IP-Address is extracted. An example of how Protect4S Threat Detection alerts related to port scans can look like can be found below: 

image - Why detecting ports scans against SAP systems is important

Once a port scan is detected, it is critical to immediately follow up on this. Threat Detection Solutions can be configured to immediately send out e-mails or threats to your SIEM Solution. 


Key takeaways 

To summarise the above, detecting port scans against the SAP RFC Gateway is an early indicator of malicious actors in your network. By detecting them at an early stage you can prevent further risks to your SAP systems.  

Protect4S SAP Threat Detection is a powerful solution that helps organisations protect their sensitive data in SAP systems from unauthorised access and other threats. By using default best-practice values and setting up custom rules, organisations can quickly detect and respond to suspicious activities and prevent compliance and security breaches which might lead to fraud, espionage or sabotage. 

Interested to learn more? Want a demo? Or start a free Proof of Concept? We are happy to tell you more about our SAP Vulnerability Management and SAP Threat Detection capabilities. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!