API Business Logic Attacks

Leading API security provider, L7 Defense, observed a 160% rise in API Business Logic attacks since 2020

Nowadays, many businesses have a technology backbone of Application Programming Interfaces (APIs) which enables them to provide access for their data as well as functional flows to their own or external third-party applications.

Due to the rapid publishing and updating of APIs in all industries, API attacks have become an attractive target for threat actors who want to gain access to an organization’s internal functionality and databases. They are using complex tactics, such as leveraging Machine learning (ML), to launch attacks that imitate non-malicious behaviors while eliminating patterns used to traditionally identify malicious behavior.

Why is it so difficult for organizations to prevent API Attacks?

The first step to bridge the cybersecurity implementation gap resulting from API deployments, is to identify the problem. There are generally two kinds of traffic regarding APIs - traffic from actual users and malicious traffic. In cybersecurity terms, malicious traffic is referred to as malicious content-based attacks. It is very difficult regarding APIs to distinguish between these two types of traffic

Let’s illustrate this with a real technical scenario as an example. One of the most active API business logic attacks is the classic Applicative Distributed Denial-of-Service (DDoS) that attacks and abuses "heavy weight" backoffice business logic mechanisms through API calls such as abusing the dynamic login mechanism. Such an attack is using camouflage techniques e.g., rotational implementation of source IP addresses along with random or dictionary-based request parameters aimed to sabotage the response time (SLA) of the service. If an API has built-in business logic to understand such inputs, it is still extremely difficult for the API Business Logic to analyze the threat by itself and to respond accordingly. The reason is that an API Business Logic’s objective is to provide availability of data or functional business flows to its real users, and therefore will avoid impacting the business priority. However, one the consequences can be serious damage to business availability or even the reputation of the organization.

What would be the solution?

Handling API security is not easy compared to other public-facing components of the organization, mostly because it has a lot of internal information exposed to the outside world. Following are key areas where organizations must focus on when implementing API security.

1. The CISO and the security teams must be involved from the very first stages to the final stages.
2. The API development itself should be enforced with the best security coding practices.
3. There should be regular vulnerability assessments and penetration testing during the API pre-production phase, followed by fixing identified issues and necessary retest cycles.
4. Once deployed in the live environment, AI-based solutions, such as L7 Defense offerings, really helps organizations with INLINE protection of their API assets from a wide range of advanced cyber threats.

This article provided by Yisrael Gross, Co-Founder & VP Business Development at L7 Defense.

For more information and a demo, please contact us at info@l7defense.com