APIs sit at the center of organizations’ digital transformation initiatives, empowering employees, partners, customers, and other stakeholders to access applications, data, and business functionality across their digital ecosystems. Hackers treasure these critical APIs, and holding off their growing waves of attacks can resemble the little Dutch boy trying to plug the dam with his finger.
Unfortunately, the problem is only getting worse. Gartner1 predicts that, “By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.”
Many enterprises have responded by implementing API management solutions that provide mechanisms, such as authentication, authorization, and throttling. These are must-have capabilities for controlling who accesses APIs across the API ecosystem—and how often. However, in building their internal and external API strategies, organizations also need to address the growth of more sophisticated attacks on APIs by implementing dynamic, artificial intelligence (AI) driven security.
This article examines the various API management and security tools that organizations should incorporate to ensure security, integrity, and availability across their API ecosystems.
Rule- and Policy-Based Security Measures
Rule- and policy-based security checks, which can be performed in a static or dynamic manner, are mandatory parts of any API management solution. API gateways are the main entry point for API access and therefore typically handle policy enforcement by inspecting incoming requests against policies and rules related to security, rate limit, throttling, etc. Let’s look closer at some static and dynamic security checks to see the additional value they bring.
Dynamic security checks, in contrast with static security scans, are always checking against something that varies over time. It usually validates request data with some decisions made with already available data. Dynamic checks are performed for access token validation, anomaly detection, and throttling, among others. These dynamic checks depend heavily on the data volume being sent to the gateway. Sometimes these dynamic checks occur outside the API gateway, and then the decisions are communicated to the gateway. Let’s look at a couple of examples.
Throttling and rate-limiting are important for reducing the impact of attacks since whenever attackers get access to APIs, the first thing they do is read as much data as possible. Throttling API requests (i.e. limiting the frequency of API access), requires that we keep a count of incoming requests within a specific time window. If a request count exceeds the allocated amount at that time. the gateway can block subsequent API calls. With rate limiting, we can limit the number of concurrent access allowed for a given service.
Authentication helps API gateways to uniquely identify each user who invokes an API. API gateway solutions available today market generally support basic authentication; OAuth 2.0, JSON Web Token (JWT) based security, and certificate-based security. Some gateways also provide an authentication layer on top of that for additional fine-grained permission validation, usually based on eXtensible Access Control Markup Language (XACML) style policy definition languages. This is important when an API contains multiple resources that need different levels of access control for each resource.
Limitations of Traditional API Security
Although policy-based approaches around authentication, authorization, rate limiting, and throttling are effective tools, they still leave cracks through which hackers can exploit APIs. One challenge is that API gateways front multiple web services, and the APIs they manage are loaded with a high number of total sessions most of the time. Even if we analyzed all those sessions using policies and processes, it would be difficult for a gateway to inspect all of the requests without some additional computational power.
Another issue is that each and every API has its own access pattern. So, a legitimate access pattern for one API can represent malicious activity for different API. Let’s look at how the same pattern has different implications for a search API versus a buying API.
Whenever someone buys items through an online shopping application, they will conduct multiple searches before making the purchase. So, a single user sending 10 to 20 requests to a search API within a short period of time can be a legitimate access pattern for a search API. Alternatively, if the same user sends multiple requests to the buying API, the access pattern can indicate malicious activity, such as a hacker trying to withdraw as much as possible using a stolen credit card. For this reason, each API access pattern needs to be analyzed separately to determine the correct response.
Yet another factor revealed by recent reports is that significant numbers of attacks happen internally. That means users with valid credentials and access to systems utilize their ability to attack those systems. Policy-based authentication and authorization capabilities are not designed to prevent these kinds of internal attacks.
Even if we could apply more rules and policies to an API gateway to protect against the attacks described here—an unlikely scenario—the additional overhead on the API gateway would be unacceptable. Enterprises cannot afford to frustrate genuine users by asking them to bear the processing delays of their API gateways. Instead, gateways need to process valid requests without blocking or slowing user API calls.
Adding an AI Security Layer
The cracks left by applying policy-based API protections alone make it clear. Modern security teams need artificial intelligence-based API security to detect and respond to dynamic attacks and the unique vulnerabilities of each API. By applying AI models to continuously inspect and report on all API activity, it is possible to automatically discover anomalous API activity and threats across API infrastructures that traditional methods can miss.
Even in cases where standard security measures are able to detect anomalies and risks, research has shown that this can take months. By contrast, using pre-built models based on user access patterns, an AI-driven security layer makes it possible to detect some attacks in near real-time.
Importantly, AI engines usually run outside of API gateways and communicate their decisions to them. Because the API gateway does not have to spend the power to process these requests, most of the time, the addition of AI-security does not impact runtime performance.
By applying policy-based and AI-based API security measures together, organizations are well prepared to identify and block sophisticated API attacks. Let’s look at three common attack scenarios.
Login system attacks: Bad actors use credential stuffing and other brute-force attacks to test valid credentials from the dark web and determine the credentials’ validity. They then utilize the compromised credentials to access API services. Bots may execute aggressive attacks or run slower attacks designed to blend in with normal login failures. Well-trained AI models based on users’ previous access patterns can easily detect and trigger the API gateway to prevent these attacks.
Data extraction or theft: Hackers use APIs to steal files, photos, credit card information, and personal data from accounts available through an API. Since normal outbound activity on one API may be an attack on a different API, AI-based security solutions can use their deep understanding of each API to detect both normal and extended-duration data exfiltration attacks and trigger an appropriate response from the API gateway. An API gateway can stop the message at the gateway level and send an appropriate error message to the client indicating he is doing something wrong.
Targeted API DDoS attacks: Hackers tune attacks to stay below rate limits and exploit API vulnerability with finely crafted API distributed denial of service (DDoS) attacks to disable
services. Here again, AI models based on the user access pattern for a given API identify potential attacks and trigger the gateway to invoke rate-limiting policies.
Given the critical role of APIs in enterprises today, they are increasingly becoming targets for hackers and malicious users. Policy-based mechanisms, such as authentication, authorization, payload scanning, schema validation, throttling, and rate-limiting are baseline requirements for implementing a successful API security strategy. However, only by adding AI models to continuously inspect and report on all API activity will enterprises be protected against the most sophisticated security attacks emerging today.
1Gartner, “How to Build an Effective API Security Strategy,” by Mark O'Neill, Dionisio Zumerle, Jeremy D'Hoinne, December 8, 2017.