Securing APIs from cyber-criminals

James Sherlow at Cequence Security asks whether AI will transform how we secure APIs

 

Our digital ecosystem is now heavily reliant upon Application Programming Interfaces (APIs) which extract and share data between applications, facilitating service delivery. They’re used for e-retail, open banking, IoT and smart cars apps, to name but a few, and are now the dominant form of internet traffic. 

 

But this proliferation of APIs with ready access to sensitive data has also created a lucrative target for attackers, with headline grabbing attacks now frequent due to the impact these have.

 

According to Gartner, the average API breach now results in ten times more leaked data than the average security breach. In May, for example, we saw in the data of 49 million users was compromised via a Dell API that failed to prevent the attacker from signing up as a reseller and exporting that data, revealing there was no authentication, monitoring or rate limiting in place. 

 

Problematic to secure

APIs are easily exploitable because they are so numerous and poorly managed. Almost a third of malicious requests are targeted at shadow APIs, that is APIs that the organisation is no longer aware of and so is no longer monitoring or updating.

 

But even APIs that are well-coded and maintained can be susceptible to business logic abuse whereby the attacker studies and uses calls sent to the API to subvert it and gain access to other APIs or sensitive data. 

 

API attacks have also evolved over the past five years, prompting the OWASP API Security Project to revise its top ten list of attack types. Threat actors will feint and pivot during an attack in order to obtain their end goal, often combining attack techniques, and frequently run rings around the security mechanisms that organisations have put in place to defend them. 

 

Web Application Firewalls (WAFs), for instance, which many organisations use to secure their APIs, can be easily subverted. These seek to block the IP address an attack originates from but the attacker can simply switch to another, rapidly rotating through IP addresses until the WAF becomes overloaded. We’ve seen situations where WAFs have been bombarded with over two million IP addresses in a 24-hour period to enable the attacker to continue their attack.

 

Once threat actors begin to leverage generative AI to create high volume self-learning attacks, which could well happen within twelve months, such rudimentary defences will be powerless to stop them. It’s for these reasons that we need to look at how we can harness AI capabilities today in order to develop, manage and protect APIs effectively.

 

Analysis and AI

Behavioural analysis is the chief way to determine if an API is under attack as it can detect both low level reconnaissance activity as well as bot-driven volumetric attacks using machine learning algorithms. Anomalous and potentially malicious traffic patterns can then be used to generate rules, models and policies that can be used to automatically spot and prevent an attack from escalating.

 

What’s more, these threat patterns can be used for threat hunting concurrently, across multiple API endpoints at the same time, increasing Mean Time to Detection (MTTD). 

 

A major issue for many organisations, however, is discovering the APIs in the first place. Sprawling API footprints and a failure to deprecate APIs have resulted in shadow APIs.

 

Automated detection can spot these by searching for API specifications/descriptions, sometimes referred to as API definitions. These help teams align on the attributes of the API and what it can do but it’s now possible to customise those definitions so that the APIs more accurately categorised, monitored and tested.

 

Moreover, discovery algorithms can be tailored to look for API hosts, such as those used by a particular product team or those hosting AI applications, in order to zero in on critical APIs. 

 

AI could also help with API testing. Inadequate authentication and authorisation is a major cause of API breaches. One way to address this is by creating authentication profiles to test APIs using multiple user personas and privileges, allowing thorough validation across numerous user scenarios.

 

Another issue is the generation of realistic test cases, which are typically manually created today. Not only can these be automated but they can also be made more adaptive so that the API groups can be tested in response to different threat scenarios.

 

API attacks will become more targeted and more evasive, particularly once threat actors harness AI. The race is now on to significantly improve the way we discover, secure and test APIs by utilising AI and machine learning technologies to ensure threat detection and response capabilities are able to detect such assaults.

 

The question is, will it take yet more attacks to make organisations realise that they need to look beyond traffic monitoring and make their APIs more robust and resilient?

 

---

 

James Sherlow is Systems Engineering Director, EMEA at Cequence Security 

 

Main image courtesy of iStockPhoto.com and BlackJack3D