APIs have altered the attack surface of modern applications and exposed new gaps in security in the process. In the old days, virtually all application traffic passed through the web front-end of an application, and unsurprisingly that is where security efforts were focused. APIs have quickly and thoroughly eroded this basic assumption.
Instead, APIs provide a variety of new access paths into the application, often with direct back-end access to critical functions that would previously have been obscured to a visitor. The combination of unguarded and powerful access to an application has not gone unnoticed by attackers. In fact, Gartner predicts that by 2022, APIs will be the most frequent attack vector leading to breaches for web applications.
With this in mind, let’s take a quick look at what makes API security particularly challenging for the old guard, and highlight what organizations can do about it. In this blog, we will focus on the nuts and bolts of API threat detection, and in the next installment, we will take a look at strategies for customizing security policies for an organization’s many APIs.
Obscuring Attacks in API Traffic
Attackers are always looking for ways to hide their attacks from security. This is part of the never-ending game of cat and mouse between blackhats and security teams. Attackers often go to great lengths to encode their attack traffic in non-standard ways or embed it within protocols in order to evade detection. Ironically, APIs have given attackers a perfect vehicle for obscuring some of their most well-known attacks such as SQL injection.
APIs introduce new file formats, structures, and protocols in order to perform their jobs. And this means instead of simply traveling over HTTP, application inputs can be contained within a nest of JSON, XML, WebSockets, and other technologies. If security solutions don’t decode this traffic, then the malicious payloads can pass through without inspection. This provides an incredibly easy way for attackers to recycle well-known attacks without being detected.
This is an important area where next-gen WAFs start to define themselves. In addition to having a wide variety of new detection models, an NG-WAF such as ThreatX can natively parse the JSON, XML, and even JSON within WebSockets. As a result, the NG-WAF can natively extend essential functions to APIs such as performing input validation and detecting code injections. This ensures that APIs get the same level of protection afforded to the web front end of an application.
Defending Against Next-Gen Reconnaissance
APIs can also inadvertently provide attackers with more visibility and access into the backend functions of an application. One of the benefits of the web front-end is that the user made a request, and the application handled all the plumbing internally. All the internal communication was largely obscured from the user. APIs, by contrast, often provide direct access to backend services. By reading API documentation and a little experimentation, attackers can gain transparent visibility and access into a new attack surface. This level of access can be crucial in the early stages of an attack.
ThreatX brings security to the mapping and reconnaissance of APIs. ThreatX’s NG-WAF constantly monitors and learns application behavior for signs of attack. This includes attacker reconnaissance such as scanning the application, mapping of endpoints, fuzzing techniques, and method enumeration.
ThreatX also identifies these actions in the context of the attacker kill chain. Attackers can be detected early on in the mapping phase and then fingerprinted to track future behaviors such as progressing to brute force techniques. This context is maintained and raises the overall risk score, which allows security to confidently take action well before damage occurs to the application.
It is important to recognize that this transparency into the application is just a fact of life when using APIs. It’s also why behavioral analysis has become a must-have capability for defending modern applications. APIs naturally expose attack surface, and bots, attackers, and automated attack platforms will naturally want to take advantage. Many of these techniques aren’t as malicious as individual actions but are strong signs of attack when seen in aggregate and in context. This makes behavioral analysis, statistical analysis, and machine learning critical for security and not just a “nice-to-have” new technology.
These are just a few of the ways NG-WAFs can extend security to APIs. In the next installment, we will take a look at how to build policies that are tied to the unique function, value, and risk profile of your APIs.