By 2022, Gartner predicts that API abuses will become the most common type of web application attack resulting in a data breach.1 That's a pretty sobering statistic for those in charge of developing APIs, as well as application and data owners, and those responsible for infrastructure security.
When you consider that the average organization manages as many as 363 APIs,2 it's no surprise that gaps in API security represent such a significant threat. Because they provide direct access to data and an entry point to an application's functionality, they are an attractive target for hackers, who will exploit any vulnerability to gain access to your most sensitive data and systems.
The proliferation of APIs, plus their allure to cybercriminals, combine to make API security a strategic priority. To avoid becoming the next victim, you must move beyond an exclusive API management mentality that's focused predominantly on authentication, authorization and rate limiting to an API security posture that extends across all API operations and infrastructures.
Why You Must Prioritize API Security
To develop an effective API cybersecurity strategy, you need to first understand the risk profile of the data and functionality exposed by each API in your organization. Knowledge of web application security best practices can provide a good starting point, but API security requires incremental measures beyond those used to secure web properties.
Figure 1: APIs can unintentionally provide a backdoor into adjacent systems and apps.
Image Source: API Academy.
By design, APIs are more transparent than web applications, because client-side developers need more fine-grained access to services and data. This transparency, provided in great detail within API documentation is also what makes them so attractive to hackers. APIs define a backdoor into adjacent systems and apps for those who are intent on gaining access, both legitimately and otherwise. And because they provide access to multiple sources of potentially sensitive data and mission-critical services, they widen the attack surface exponentially.
3 Ways Attackers Infiltrate APIs
When evaluating the attack surface presented by your APIs, bad actors might find a number of ways to gain access. But their efforts generally follow three patterns:
1. Login Attacks
Attacks on login and authentication systems are a natural starting point as they're difficult to detect and stop with existing API security solutions. Bad actors attempt to find a "way in" to access the digital resources linked to APIs by using brute force and automated credential stuffing attacks.
Figure 2: API services are disrupted by credential stuffing attacks and by hackers with stolen credentials.
By probing the login environment—which is often mapped using readily available software, then published onto GitHub—an attacker can easily launch attacks to look for vulnerabilities. Should access be gained, it's game on as the bad actor—who appears to be a normal user—finds and exploits additional vulnerabilities, potentially over several months before they are detected.
Login attacks can also be used to disrupt an API-enabled service by preventing legitimate users from logging in, diminishing the user experience and hurting the effectiveness of your public-facing APIs. These disruptions are often caused by DoS or DDoS attacks on access control systems.
2. API DoS & DDoS Attacks
An API DDoS attack typically involves sending traffic from multiple clients to overload an API service. Even when rate limiting controls are in place to prevent servers from crashing, they fall short in preventing service disruption and severe degradation of the API's user experience.
In spite of these protections, hackers often execute these attacks using botnets trained to detect and stay under rate-limiting controls to maximize effectiveness. Since each client is sending normal traffic volumes, the attack will go undetected by API management systems, load balancers and other DDoS prevention security solutions and appliances.
Figure 3: API DDoS attacks disrupt services and severely degrade the user experience.
Most of these attacks are not volumetric in nature and are in fact targeting specific API vulnerabilities to damage the service. For example, a hacker who has gained access to your API using one of the techniques described above might attempt to consume all memory or CPU allocated to the API to disrupt the service for as long as possible.
Increasingly, organizations are experiencing these sorts of attacks. Should they fail to have an adequate security strategy in place, they're powerless to stop them and unable to restore normal services for their users and customers.
3. Application & Data Attacks
Phishing, malware and man-in-the-middle attacks are often used to trick users into connecting to a compromised system, which then captures their tokens, credentials and API keys. The hacker, posing as the authenticated user, is then able to gain access to API services unbeknownst to the API management system. Since APIs expose a range of functions, attackers can subsequently engage in:
- Data extraction or theft
- Data deletion or manipulation
- Account takeover
- Data injection into an application service
- Malicious code injection into an application service
- Remote application or system control
The 2018 Verizon Data Breach Investigations Report found that 81% of confirmed data breaches leveraged stolen credentials. Even the most advanced authentication methods can't stop an attack using compromised credentials. It's equally important to note that any of these actions might also be taken by a rogue insider, consultant or someone in your partner API ecosystem with valid credentials.
Figure 4: Data exfiltrated by hackers with stolen credentials often goes undetected.
What You Can Learn from High-profile API Security Incidents
In November 2018, widespread news reports surfaced a USPS breach affecting 60 million users. The vulnerability was part of an application called Informed Visibility that provides near real-time tracking information for mail sent by businesses, advertisers and other bulk mail senders. The flaw allowed any user logged in to USPS.com to use an API to see account details for other users, including their email addresses, usernames, user IDs, account numbers, addresses and other data. In some cases, they could even change account details on others' behalf.
A few weeks before the USPS breach, Google reported a vulnerability in its Google+ social network application. The bug was part of the Google+ People API, which stores user information, like name, email, age, nickname and birthday. Similar to other social media sites, Google+ users can allow third-party apps to access their profile data, as well as the public profile data of their friends. But the vulnerability made friends' private data also accessible, impacting 500,000 user accounts—and maybe even contributing to Google's decision to phase out Google+ altogether.
Just before the Google news story, Facebook also announced a vulnerability in its API code. A bug in the code for the "View As" feature (that allows you to see how your profile appears to others) made it possible for attackers to steal access tokens, taking over the accounts of 30 million users and compromising their personal data.
These highly publicized breaches underscore the importance of treating API security as more than a one-time event. Even if every effort is made to address cybersecurity in the development and operations processes, the best code writers and security architects are still susceptible to making mistakes. These mistakes often take the form of API design flaws over coding errors, making them difficult to recognize given the hundreds of ways APIs might be abused, misused and attacked.
It could be months or even years before they're found. In fact, the USPS breach remained undetected for as long as two years, while the Facebook breach took 14 months to be discovered. Without visibility into each API, it's nearly impossible to quickly find and fix potentially devastating mistakes. And web application firewalls (WAFs) and API management systems lack the intelligence to detect the types of suspicious and anomalous activities that indicate when an error has been exploited.
Build Your API Cyber Security Strategy on AI
As API development shows no signs of slowing down, there's no time like the present to shore up your API security. API management systems provide some security features, but not enough to keep increasingly sophisticated hackers at bay. You need a cybersecurity solution that relies on more than just attack signatures and access control policies.
Your API cybersecurity strategy must include strong foundational security capabilities to provide first-line defense against a breach, including a clear view into the activity on each of your APIs. Should your defenses be infiltrated, you also need the ability to detect and automatically block unusual and malicious behavior, including both common threat actions and zero-day attacks that have yet to been seen. And you can't rely on manual methods given the sheer volume of connections alone.
But you can rely on artificial intelligence (AI). An API security strategy built on AI gives you the power to transcend static rules and policies. By continuously inspecting and reporting on all activity, AI gives you deep visibility into your APIs traffic and can detect abnormal behavior on your data and applications to automatically stop hackers from exploiting your APIs.
When you build your API security on AI, you can proactively protect your entire organization's API infrastructure from hackers and bad actors.
1. Mark O'Neill, Dionisio Zumerle and Jeremy D'Hoinne, "How to Build an Effective API Security Strategy," Gartner Research, Dec 8, 2017
2. API Security Survey, One Poll, Nov 2017.
3. 2018 Data Breach Investigations Report, Verizon