LAST UPDATED June 14, 2022
APIs have altered the attack surface of modern applications and exposed new gaps in security in the process. In the old days, virtually all application traffic passed through the web front-end of an application, and unsurprisingly that is where security efforts were focused. APIs have quickly and thoroughly eroded this basic assumption.
Instead, APIs provide a variety of new access paths into the application, often with direct back-end access to critical functions that would previously have been obscured to a visitor. The combination of unguarded and powerful access to an application has not gone unnoticed by attackers. In fact, Gartner predicts that APIs will soon be the most frequent attack vector leading to breaches for web applications.
The Definitive Guide to API Attack Protection helps you understand how attackers are targeting APIs and then gives clear and concise guidance on discovering your API landscape and protecting it. Download your copy now
What are some of the key API Security challenges?
Let’s take a look at what makes API security particularly challenging for the old guard, and highlight what organizations can do about it.
Obscuring Attacks in API Traffic
Attackers are always looking for ways to hide their attacks from security. This is part of the never-ending game of cat and mouse between attackers and security teams. Attackers often go to great lengths to encode their attack traffic in non-standard ways or embed it within protocols in order to evade detection. Ironically, APIs have given attackers a perfect vehicle for obscuring some of their most well-known attacks such as SQL injection.
APIs introduce new file formats, structures, and protocols in order to perform their jobs. And this means instead of simply traveling over HTTP, application inputs can be contained within a nest of JSON, XML, WebSockets, and other technologies. If security solutions don’t decode this traffic, then the malicious payloads can pass through without inspection. This provides an incredibly easy way for attackers to recycle well-known attacks without being detected.
Next-Gen Reconnaissance
APIs can also inadvertently provide attackers with more visibility and access into the backend functions of an application. One of the benefits of the web front-end is that the user made a request, and the application handled all the plumbing internally. All the internal communication was largely obscured from the user. APIs, by contrast, often provide direct access to backend services. By reading API documentation and a little experimentation, attackers can gain transparent visibility and access into a new attack surface. This level of access can be crucial in the early stages of an attack.
Security’s Lack of Visibility and Awareness
Organizations know they have a lot of APIs, but they don’t know how to discover or inventory them all. Most have an assortment of APIs sitting behind various gateways, some with no schema attached, or some that have been essentially orphaned after long periods of development. This is a hard problem for security teams to get their hands around.
Accountability for Acceptable API Use
Organizations struggle to understand who is using their APIs and what constitutes acceptable usage — things like the amount of information APIs should provide, how they provide it, and the necessary levels of authentication and authorization are often a mystery.
Sophisticated, Multi-Step Attacks
It’s challenging to identify abnormal behavior related to APIs without the right technology with correlation capabilities to identify modern attacker techniques.
Complex, Bot-Based Attacks
Complicating everything is the fact that API attacks are increasingly bot enabled. Attackers can now distribute loads across large numbers of bots — often tens to hundreds of thousands — to build complex, bot-based attacks aimed at manipulating API functionality.
Best practices to counteract API security challenges
Discover known and unknown APIs
The proliferation of APIs across a distributed infrastructure inevitably leads to API sprawl, and organizations often don’t know how many APIs they have or how they’re utilized. Some of those APIs may be known, but organizations often have a host of unknown APIs as well.
Ideally, an API’s schema provides insights on API utilization. An API schema provides definitions of acceptable use for that API, including what can be exposed, what methods can be used, what are the parameters, keys that enforce utilization, etc. But schemas frequently don’t exist.
The best mode of discovery is real-time analysis of the traffic hitting those endpoints. Analytics can identify which endpoints are no longer used, and which clients are still actively using old endpoints.
Visualize risk to your API attack surface
API discovery capabilities are needed to allow security teams to visualize the entirety of their API attack surface and observe the utilization of APIs in both real time and over time. This is key to understanding how APIs are being used and to identifying rogue and zombie APIs. As part of the discovery, key metrics should be gathered such as request counts, methods, parameters, and error codes, plus how APIs are utilized and how they’re being invoked.
Multi-step attacks can be much harder to detect as attackers build on earlier reconnaissance and information leaks. Visibility into real-time traffic analysis is critical for detecting key indicators of early-stage reconnaissance.
Continuously monitoring API behavior and correlating behavior over time can produce a unified risk score that increases based on attacker behavior. This allows security teams to see coordinated attacks and to identify and stop low and slow attacks that would otherwise fly under the radar.
Detect and block real-time attacks
Real-time monitoring should include advanced threat engagement techniques, such as IP fingerprinting, interrogation, and tar-pitting. These capabilities enable a platform to identify and stop the most complex attacks, including large-scale bots and DDoS-level attacks.
Offline solutions can develop sophisticated correlation rules to detect complex attacks, but they have a couple of disadvantages. Offline solutions can’t take advantage of real-time, interactive techniques like IP interrogation and fingerprinting, active deception, or user-level tar pitting/rate limiting. Attack identification often occurs well after the fact, increasing the time to detection and the risk of data loss.
Attacker-centric behavioral analytics is key to minimizing false positives while effectively stopping sophisticated, multi-step API-based attacks. The system identifies and correlates activity to more precisely identify threats to APIs. The platform responds to multi-step attack patterns over time, adjusting to the attacker’s behavior and blocking suspicious entities and IPs when behaviors surpass an acceptable risk threshold.
Download our checklist to ensure the API protection solutions you are evaluating meet the critical API security needs your organization requires. Available as a PDF, Excel spreadsheet, and Google sheet. Download it now
Expose insights to enable attack forensics
Through advanced risk analysis, a platform can identify key attributes of an attack, such as attack patterns over time (e.g., low and slow), the use of advanced evasion techniques, and details of the attack target.These insights allow security teams to understand the goals and nature of a threat, in turn enabling a more comprehensive security strategy that reduces future risk.
Assess and enforce API schema compliance
Not only is a specification a best practice as part of API design and implementation, it’s also a great way to evaluate API utilization and ensure it conforms to the specification. One of the best indicators of malicious activity is attempted misuse of an API. Attackers are constantly probing API endpoints to identify any number of vulnerabilities that can be exploited. Comparing actual utilization against what’s expected is one of the best ways to identify malicious users and the techniques they are using.
The best solutions include API discovery based on real traffic and the ability to compare traffic metrics against a “Security Schema” based on integration of legitimate schema files or to build a customized version on the fly based on actual traffic.
How ThreatX Can Help
ThreatX constantly monitors and learns application behavior for signs of attack. This includes attacker reconnaissance such as scanning the application, mapping of endpoints, fuzzing techniques, and method enumeration.
ThreatX also identifies these actions in the context of the attacker kill chain. Attackers can be detected early on in the mapping phase and then fingerprinted to track future behaviors such as progressing to brute force techniques. This context is maintained and raises the overall risk score, which allows security to confidently take action well before damage occurs to the application.
It is important to recognize that this transparency into the application is just a fact of life when using APIs. It’s also why behavioral analysis has become a must-have capability for defending modern applications. APIs naturally expose attack surface, and bots, attackers, and automated attack platforms will naturally want to take advantage. Many of these techniques aren’t as malicious as individual actions but are strong signs of attack when seen in aggregate and in context. This makes behavioral analysis, statistical analysis, and machine learning critical for security and not just a “nice-to-have” new technology.
To get started and learn how ThreatX can protect your APIs and web applications from any threat, request a demo now.