Just about every application uses an application programming interface (API). While APIs add a lot of value to an organization, from a security standpoint, they come with some significant problems. In fact, Gartner predicts that API abuses will be the most common threat vector from 2022 bypassing all other threat vectors.
So, what problems exactly do APIs face? And what can security defenders do about it?
API abuse refers to the mishandling of APIs for malicious purposes. With the requisite skills, cybercriminals can reverse engineer applications to modify the flow of the application which can result in hackers getting sanctioned access to the application.
Cybercriminals can use APIs to access undesirable segments of applications, unauthorized access to data belonging to other users, execute account takeovers, scrape business-critical data, perform distributed denial of service (DDoS) attacks, etc.
Naturally, understanding API attacks is key to preventing, detecting, and neutralizing them, which is what this article intends to help with.
It is possible to modify the intrinsic nature of an application using breached APIs. Breached API calls will reassemble a normal API call in every respect but will cause business logic of the application to be tweaked to carry out unintended/unauthorized actions. Few examples of this can be changing the PIN number of debit cards or transferring money across accounts without user authorizations.
The Coinbase attack in Feb’22 is a great example of such an attack. You can read more about it here: https://blog.coinbase.com/retrospective-recent-coinbase-bug-bounty-award-9f127e04f060
Botnets are deployed to initiate account takeovers. in order to test stolen users and passwords, a botnet will invoke APIs to check the combinations. While API management systems reject invalid login attempts, they aren’t too good at combating the volume of bots. These bots, emerging from different IPs repeatedly check for credential combinations with the intention of brute-forcing their way to a valid login.
Specifically skilled hackers ensure that bots trigger API requests at realistic intervals, so that they resemble human requests, and have a better chance of bypassing conventional security protocols.
Hackers can deploy APIs to scrape content from an application. It is common for competitors or other cyber criminals to do so in order to gain a competitive advantage especially during major sales periods. For example, by scrapping business critical prices of a famous item, competitors can price their products to cause damage to the business prospects.
Hackers can target compute-intensive APIs to intentionally overload the application servers. Such an act coupled with traffic from numerous IPs and devices, can occupy the system resources and prolongs server response times for legitimate users.
Consider a platform that provides value across the entire life-cycle of API starting with development, testing, deployment, to retiring of the API.
API visibility in real-time: If you can’t see, you can’t protect it! API visibility is essential pillar of detecting API abuse. Consider a security platform that provides real-time continuous discovery of all APIs in your tech stack. It should provide details on parameters, whether a parameter is mandatory, optional, or PII/sensitive. Additionally, the platform should discover API attributes and not just API endpoints. The visibility should also include baselining of API usage to detect whether APIs are encountering anomalous behavior.
Risk Assessment: The platform should evaluate the risk associated with each API relative to its exposure, likelihood of an attack, and consequent impact. This helps security and engineering teams prioritize response and improves efficiency in addressing security breaches.
Deep Learning of API behavior: Look for a platform that can perform deep learning of application behavior to understand the application baseline and context. As API breaches are complex business logic exploits, without building a strong understanding of the application workflows and context, the platform won’t be able to detect API abuse.
Shift-Left API Testing: The platform should shift left to identify weaknesses in the application and insert into the CI/CD cycle of the organization to find potential vulnerabilities earlier in cycle. As APIs are stateless but the workflows are stateful, the testing platform should be able to mimic all happy path scenarios to provide extensive coverage. AppSentinels does exactly this via the industry’s first Intelligent Stateful API DAST.
Comprehensive view of attacks: Can your API security solution connect security-related events and map them to sources of the attack (users or groups)? AppSentinels accomplishes this through application, user, device and traffic fingerprinting.
By connecting activities from the same users across multiple IPs, AppSentinels seeks to offer SecOps teams with perfect clarity on an attack, its current stage, and the methods used for the invasion. The correlation also allows us to discern between attacks and legitimate user behavior, which is necessary to avoid false positives.
AppSentinels is a comprehensive next generation full-lifecycle API security platform that leverages AI/ML to prevent advanced business-logic API attacks. Our deep learning models detect attackers early in the attack cycle and block them, guarding apps from data theft, breaches, and fraudulent invasions. The platform discovers all APIs in real-time, provides a catalog of APIs as well as the PII/Sensitive data flow occurring via those APIs, and finally, risk score against the APIs.
You can schedule a demo for the product walkthrough and eligible customers will receive a platform free trial.