Making API Security Smarter
The adoption of APIs in the enterprise is showing no signs of slowing down. And each API represents a new attack vector to corporate data, applications and critical business systems. Finely tuned attacks on APIs are bypassing traditional security measures provided by CDNs, WAFs and API Gateways to breach APIs and get to the digital assets they connect.
A robust API security practice requires a strong set of security capabilities, as well as the ability to detect abnormal use of each API once a user passes the first lines of defense. This way, you can act immediately when malicious behavior is detected. PingIntelligence for APIs is making API security smarter.
Filling Common Gaps in API Security
API management tools provide an important set of security features to protect your APIs. These often include authentication and rate limiting, which ensure resources are securely accessible by internal groups, partners, customers and third-party developers. But these practices are often deficient in stopping attacks that are built specifically to breach APIs and the data and systems to which they provide access. Because APIs have created a new, attractive path for hackers to gain access to sensitive data, multiple methods have been invented to circumvent traditional security practices to gain access. Intelligence helps stop the most common API attacks not covered by foundational API security tools.
Gap #1: Login Attacks
Login services are a common API attack surface. API management systems reject invalid login attempts, but they don’t have adequate mechanisms to stop clients from continuously trying new combinations. Many hackers keep request rates below rate limits and periodically change IP addresses to make control very difficult, and successful attempts often go undetected.
Hackers can also steal API keys or tokens used for client authentication through man-in-the-middle attacks, tricking users into connecting to a compromised system which then captures the user’s token or key. The hacker then presents the stolen credential to gain access to API services. Since proper credentials are presented by the client, an API management system can’t detect this attack.
Gap #2: API DDoS Attacks
DDoS attacks were originally designed to overrun an organization’s defenses with volume. But API DDoS attacks are often executed by multiple clients sending traffic to overload an API service. Since each hacker sends normal traffic volumes, these attacks are difficult to detect without analyzing the aggregate traffic rate on each unique API service. Sophisticated hackers can even detect rate-limiting controls and adapt traffic rates to stay beneath the throttling limits to avoid detection. API management systems use rate limiting to control individual client activity, but they typically can’t view aggregate traffic rates among multiple clients to stop distributed DDoS attacks.
Gap #3: System, Application and Data Attacks
Today’s API security solutions aren’t enough to stop a new generation of attacks on APIs, specifically designed to exploit vulnerabilities unique to each API. PingIntelligence for APIs can detect, block and report on these attacks which include:
- Login system attacks: Bad actors use credential stuffing as well as brute force attacks on login and authentication systems to breach API infrastructures.
- Stolen credential attacks: Stolen credentials, tokens, cookies and API keys are used to penetrate and take over accounts.
- Account takeover attacks: Hackers bypass access control systems to take over over one or more user accounts.
- Data extraction or theft: Hackers use APIs to steal files, photos, credit card information and personal data from all accounts available through an API.
- Data scraping: APIs are commonly abused by those using bots to extract (scrape) data for subsequent use which can negatively impact your business.
- Data deletion or manipulation: A disgruntled employee could delete information to sabotage systems, or a hacker could change data to compromise information.
- Data injected into an application service: A hacker could load large data files to overrun system memory or inject excessive data to overload an API service.
- Malicious code injection: A hacker may inject malicious code, such as a key logger, which could compromise other users accessing the service.
- Extreme application activity: A hacker can generate calls that require unusually high system resources and affect server response time.
- Probing and fuzzing attacks: Used by hackers to force API errors to uncover IP and system addresses that they can use to access resources.
- Multi-Step API attacks: Hackers use one account to reverse engineer an API and identify its weaknesses in order to fully exploit an organization’s API infrastructure and breach other accounts.
- Targeted API DDoS attacks: Hackers tune attacks to stay below rate limits which can disable services provided by the API or damage the user experience.
Gap #4: Deep API Traffic Insight
Managing API access requires comprehensive information on all API activity for compliance reporting, forensic investigations, usage trend analysis and debugging of complex applications. All API interactions should be available, including every method or command used on any API at any time. This reporting is required to support in-depth investigations into historical activity linked with an attack, or to demonstrate compliance and deliver metrics on API usage. Reporting APIs should also be available to deliver information to common enterprise dashboards and reporting applications.
Learn more about the evolving api security landscape.
Take the Next Step
See how Ping can help you stay ahead of the curve in a rapidly evolving digital world.
