Nowadays, many businesses have a technology backbone of Application Programming Interfaces (APIs) which enables them to provide access for their data as well as functional flows to their own or external third-party applications.
Due to the rapid publishing and updating of APIs in all industries, API attacks have become an attractive target for threat actors who want to gain access to an organization’s internal functionality and databases. They are using complex tactics, such as leveraging Machine learning (ML), to launch attacks that imitate non-malicious behaviors while eliminating patterns used to traditionally identify malicious behavior.
The first step to bridge the cybersecurity implementation gap resulting from API deployments, is to identify the problem. There are generally two kinds of traffic regarding APIs - traffic from actual users and malicious traffic. In cybersecurity terms, malicious traffic is referred to as malicious content-based attacks. It is very difficult regarding APIs to distinguish between these two types of traffic
Let’s illustrate this with a real technical scenario as an example. One of the most active API business logic attacks is the classic Applicative Distributed Denial-of-Service (DDoS) that attacks and abuses "heavy weight" backoffice business logic mechanisms through API calls such as abusing the dynamic login mechanism. Such an attack is using camouflage techniques e.g., rotational implementation of source IP addresses along with random or dictionary-based request parameters aimed to sabotage the response time (SLA) of the service. If an API has built-in business logic to understand such inputs, it is still extremely difficult for the API Business Logic to analyze the threat by itself and to respond accordingly. The reason is that an API Business Logic’s objective is to provide availability of data or functional business flows to its real users, and therefore will avoid impacting the business priority. However, one the consequences can be serious damage to business availability or even the reputation of the organization.
Handling API security is not easy compared to other public-facing components of the organization, mostly because it has a lot of internal information exposed to the outside world. Following are key areas where organizations must focus on when implementing API security.
This article provided by Yisrael Gross, Co-Founder & VP Business Development at L7 Defense.
For more information and a demo, please contact us at info@l7defense.com