From the various examples of security incidents involving APIs that lacked any form of authentication, one might conclude that the key to addressing this attack vector is to apply token issuing and validation to one’s APIs. But that approach doesn’t go far enough. A valid token should merely serve as a first step in securing API transactions, and API providers clearly need to define and enforce access control rules, not simply require proof of authentication.
But beyond applying access control, how far should you really trust your tokens?
Hackers Are Users Too
Consider a valid token, one that you can tell was issued from a handshake where the user identity was authenticated. The token is valid, but so what? Many applications are open to the public, i.e., open for anybody to register and create an account, including hackers. Hackers don’t advertise themselves as malicious users on such applications. As a result, tokens issued to hackers cannot be distinguished from tokens issued to legitimate users.
Leveraging their accounts, hackers get tokens for calling your API. Although different applications have varying degrees of user vetting involved, anybody can be a hacker. Insider threat is on the rise and user validation is no defense against malicious intent; remember, it only takes one. Hackers leverage these tokens to poke around your API and look for vulnerabilities to disrupt your service and/or steal sensitive data.
User credentials and tokens leak. Through bad user behaviors such as password reuse and phishing attacks, hackers gain access to tokens that are meant for other (legitimate) users. Client applications have a very poor track record at keeping secrets and are a serious vulnerability, as was demonstrated by this NCSU academics study. From an API provider standpoint, there is no control of the client side.
Some of the impact of token leak will be partially mitigated through the adoption of stronger authentication and emerging token binding standards. These advancements should be adopted whenever possible. Such mitigations are only partial, however, and through token leak and insider threats, malicious users abuse your API in unexpected ways to disrupt your service. Private information can leak through your APIs when you trust these tokens.
Zero Trust and API Tokens
Zero Trust principles teach us to limit trust in these tokens and assume that some of them are compromised. To properly scrutinize incoming API calls, many considerations should be applied in addition to validating token authenticity and applying authorization rules. For example:
What has this token/client been up to since issuing?
What API calls were made, in which sequence?
Were any decoys touched by it?
Is the token used to make an abnormal amount of API calls?
How does the overall behavior of this token fit/deviate from a normal use of this API?
Answering such questions is key to determining which tokens to trust, and which tokens to block. The analysis of token behavior in an API ecosystem requires data about API traffic: big data. This data is derived from the API traffic itself, which needs to be fed to a specialized AI engine. Such an AI engine sorts out bad token behavior from good token behavior.
Analyzing Token Behavior
One such AI-powered API security tool is PingIntelligence for APIs, an AI-based cybersecurity solution that integrates with your existing API infrastructure. By asynchronously feeding API traffic metadata into its AI engine, PingIntelligence for APIs automatically builds machine-learning models for your APIs. These models allow for the classification of each token.
When a token is predicted to have been compromised, you are notified—and the token can be automatically blocked. In addition, PingIntelligence for APIs delivers rich insights on your API traffic and operates in infrastructures built with API gateways from different vendors, with deployments on-premises or in hybrid clouds.