Detecting threats to APIs

The increasing use of APIs by developers has been one of the defining software trends of the past few years. Seeking efficient, standardized and effective ways to build out fully-featured apps, developers are turning to APIs as the backbone of software releases.

It’s likely your organization uses numerous API-based applications for fundamental business functions. Assuming your organization has a good handle on how many APIs you have, the next critical issue becomes validating core API development functions including authentication best practices and protecting sensitive data as it moves through API-based applications.

Attackers have seized upon the prominence of APIs, deploying a wide variety of both new and old techniques specifically targeting an organization’s APIs. The variety of threats in existence today, including novel zero-day attacks meant to dodge standard defenses, calls for an advanced approach to API threat detection.

By taking these threat seriously, finding the right technology and following industry best practices, the security team can build a strong advanced threat detection posture, ensuring the organization can keep reaping the benefits of API use without creating a major unguarded attack surface for a threat actor to exploit.

The importance of API threat detection

Why should IT security teams focus on API threat detection in particular? The short answer is they’re the attackers #1 target. The precipitous rise in using APIs as an application development tool has demonstrated to hackers that if they can exploit API code, they can gain a way to exfiltrate sensitive data of all kinds — payment information, Social Security and personal identification numbers, login credentials and more.

Just how much have hackers committed to breaking API security? Our research revealed that in the second half of 2021, 80% of blocked traffic to companies’ systems was API-based. Attackers are opportunistic, and with organizations’ most sensitive applications now built on APIs, some that may have weak authentication, that’s where they’ve shifted their focus.

In that same period, account takeover attacks targeting APIs rose by 62%. Using stolen credentials from unguarded APIs has become a way for hackers to then move on to larger targets. Organizations that don’t have API protection capabilities in place may be leaving a door ajar for attacks ranging from corporate espionage to ransomware and beyond.

API threat detection is a pivotal part of such an information security plan. Furthermore, detection efforts must do more than watch for a standardized list of known threats. The constant process of new security threat development means organizations could fall prey to attacks and business logic abuse that have never been observed before. Monitoring API traffic for signs of risk is a must for any business today.

Top threats facing APIs today

Reviewing the sheer variety of advanced threats facing API deployments, as well as the potential damage these attack types could inflict, is a good reminder of just how important API threat detection has become.

Resources such as the Open Web Application Security Project (OWASP) API Security Top 10 name many of the most pressing concerns for IT security teams and developers working with APIs, updated to reflect trends in both apps and attacks. Current top dangers include:

Broken authorization and access control: Ranked as the top two threats on the OWASP API Security Top 10, marking it as a major danger to companies’ sensitive data. When authentication and access control functionality has flaws, attackers can make API requests that should be prevented, potentially seriously compromising an API-based application and the information within.

Excessive data exposure: The third entry on the OWASP list, excessive data exposure is a common error made in the API development phase where sensitive data handling best practices of limiting its use, masking or encrypting the data are not followed. These types of errors can lead to possible data loss, governance and compliance violations.

API business logic abuse through mass assignment: APIs are designed for machine-to-machine communications and as such, include commands, data and payload necessary to complete the transaction. When improperly documents attackers can use the information within the API as an attack vector. Security and development teams should work collaboratively to adopt and support API framework tools to drive coding consistency, quality and security.

The sheer variety of factors that can give attackers access to a company’s sensitive data can give IT security teams pause. A misconfiguration issue could provide the necessary backdoor, as could a missed patch or the unknown presence of a deprecated or shadow API.

One of the most concerning aspects of security flaws is that attackers have the tools to detect and exploit them. By crawling organizations’ APIs, hackers can determine opportunities to fulfill their objectives, whether that means exfiltrating sensitive data, breaking deeper into systems, injecting advanced malware or any other goal.

The recent ESG ebook, ‘Trends in Modern Application Protection‘, found that organizations are acknowledging that the fast development of new threat vectors is a major problem. In fact, 46% of respondents have trouble keeping up with ever-mounting advanced threats, making it the No.1 cited issue along with web application security.

Other problems with app protection include a lack of clear ownership around security (42%), weak security tools (36%) and proliferation of too many different security solutions (32%). With the costs of a data breach or exposure representing devastating losses for companies, it’s clear that departments must take every opportunity to strengthen their API security posture.

Best practices of real-time API threat detection

An ideal API threat detection methodology needs to meet a few objectives. It should run in real-time and cover every API, including shadow APIs, third-party APIs and outdated or deprecated technology. It should also guard against all kinds of suspicious activity, rather than limiting its scope to known threats.

The following are a few of the traits IT security teams should look for when seeking out real-time systems that can defend their API deployments against exploitation of all kinds.

Rules that target relevant threats

Since APIs can power so many types of software and cloud services, no two organizations will use APIs the same way. This means detecting malicious traffic and potential threats should be customizable, allowing users to set rules and policies, security personnel can teach the system what types of data are likely to be targeted, and then watch out for any potential threat that puts information at risk.

Defenses against a wide range of threats

While customization is an important part of the threat detection package, solutions must also be able to recognize a vast range of known attack types and potentially malicious behaviors. Staying one step ahead of hackers means being on guard for every type of security threat that has been seen in the past, alongside the latest versions.

Connection with useful remediation features

Detecting advanced threats is just one facet of overall API protection. Once a system detects malicious traffic, it’s important to have a viable response to the attack. The source could be blocked or rate-limited, including through geofencing to prevent access by region. Advanced solutions also allow deception, which means fooling the hacking software into believing the attack is succeeding while actually cutting it off.

The current generation of API threat detection technology can provide this level of functionality while also delivering another useful feature: ease of integration and use. When software is simple to deploy and work with, and provides fast functionality out of the box, there’s nothing stopping companies from building their API protection profiles and defending their cloud resources.

Advanced threat detection efforts should be built to meet these high standards due to attackers’ own ongoing development efforts. Since the threat landscape never slows down, companies need cloud security tools that can keep up.

Threat detection’s role in Unified API Protection

True Unified API Protection has three pillars. This is important to note because many products billed as providing API security only perform one of these functions. Effective threat detection fits neatly into the middle of this model, which consists of:

Discover: Organizations need a comprehensive overview of their API usage, detecting their potential API attack surface both from the inside out and the outside in.

Detect: Businesses must protect themselves in real time against a wide variety of potential threat types, encompassing both known and emerging threats.

Defend: Immediately following the detection of malicious activity, automated features must take effect to stop that traffic from causing damage.

Considering the large and expanding role of APIs in mobile and web app development, API security is becoming synonymous with cybersecurity as a whole. Consequently, the organization must make API protection a priority.

Jason Kent

For over the last 20 years, Jason has been ethically peering into Client Behaviour, Wireless Networks, Web Applications, APIs and Cloud Systems, helping organisations secure their assets and intellectual property from unauthorised access. As a consultant he's taken hundreds of organisations through difficult compliance mine fields, ensuring their safety. As a researcher he has found flaws in consumer IOT systems and assisted in hardening them against external attacks. At Cequence Security Jason does research, community outreach and supports efforts in identifying Automated Attacks against Web, Mobile, and API-based Applications to keep Cequence's customers safe.

Unlocking productivity and efficiency gains with data management

Russ Kennedy • 04th July 2023

Enterprise data has been closely linked with hardware for numerous years, but an exciting transformation is underway as the era of the hardware businesses is gone. With advanced data services available through the cloud, organisations can forego investing in hardware and abandon infrastructure management in favour of data management.