API Attack Prevention: Preparing for Cybercriminals’ New Account Takeover Target

• Open-by-design and predictable structure creates many open doors to easily probe.
  Developers tend to build flexible APIs with predictable structures adhering to logical architectures (such as REST), which makes it easy for criminals to probe for additional data that may have been exposed.
  
  
• Reduced cross-organizational visibility makes it difficult to observe API activity—especially if you don’t know the API even exists.
  APIs are often published before SecOps teams know about them, creating a shadow or zombie API ecosystem and lack of end-to-end visibility into API traffic.
  
  
• Increased complexity creates unmanaged and unsecured APIs, resulting in a larger attack surface.
  Distributed environments and proliferation of services make it challenging to consistently discover, manage, and monitor all APIs, which leads to an increased number of threats and elevated vulnerability to security and privacy incidents.

Modern malicious bot attacks continue to evolve, causing legacy bot prevention tools to fail in sustaining their efficacy. This issue will likely get worse with regard to APIs since bot attacks are used to target APIs in a variety of new and different ways ranging from automating exploration scans to manipulating resources and business logic vulnerabilities to conducting credential stuffing and injection attacks.

API credential stuffing attacks are a great example of why traditional bot mitigation strategies leave you exposed. Some APIs provide authentication tokens after a username and password are submitted, similar to logging into a website. This token is typically used for all other requests made to the API. It’s a pattern common in APIs, especially older APIs, and it’s vulnerable to credential stuffing and password spraying attacks.

Differentiating between attackers and real customers is difficult because these types of targeted efforts bypass most traditional controls. Traditional security controls, such as basic web app firewalls (WAFs) and security information and event management (SIEM) systems, are not sufficient to identify and prevent bot attacks on APIs, in part because of the high amount of machine-to-machine, or API-to-API, traffic. Attacks can appear like normal app behavior on the surface, but behind the scenes APIs can be exploited and abused, allowing attackers to elude detection until it’s too late.

API security is a shared responsibility across the organization, heightening the need to be concerned with bot-driven attacks that lead to compromise and data breach, as well as those that impact uptime and reliability, for both legacy web apps and modern API fabrics.

When it comes to API security and protecting against unauthorized access via APIs, either through credential stuffing, brute force, or other forceful login attempt mechanisms, a sophisticated AI/ML engine can help by identifying failed login attempt activity or attempts to discover API parameters, and flagging those attempts for operations teams to review.

There are several ways that organizations should shore up their API security, including validating connections and access, monitoring and alerting on behavior over time, and helping to identify unusual client behavior to pinpoint potential areas of compromise.

• Continuously monitor and protect API endpoints to identify changing app integrations, detect vulnerable components, and mitigate attacks through third-party integrations.
• Implement a positive security model that integrates with your CI/CD pipeline and supports OpenAPI and Swagger interface specifications to easily validate schema, enforce protocol compliance, automatically baseline normal traffic patterns, and detect anomalous behavior.
• Embrace zero trust and risk-based security by embracing least-privileged access principles, inspecting payloads, preventing unauthorized data exposure, and implementing access control and risk-based authentication for objects and functions. This should include collecting intelligence and building a baseline for the normal behavior of bots with respect to your APIs. By leveraging behavioral and pattern analysis, workflow validation, and fingerprinting, you can differentiate between human, good bot, and bad bot activity.
• React to a changing application lifecycle by preventing security misconfiguration across heterogeneous environments, mitigating abuse that can lead to compromise and denial of service, and remediating threats consistently across clouds and architectures. Keep scanning, testing, and monitoring your APIs for misconfigurations, vulnerabilities, and business logic flaws.

You should explore having a centralized view of your API security posture to allow your organization to move quickly, identify potential issues within your API environment, drill down, investigate, and act as appropriate to neutralize any anomalies or threats that could impact connectivity, availability, or app and API security.

Learn more about how you can prevent account takeover attacks.