APIs: Threat prevention as important as detection

Application developers have made one thing clear in recent years: APIs are now the tool of choice for efficiently creating fully-featured apps across web and mobile platforms. Businesses are now trusting APIs to exchange information, including sensitive data such as payment details and account login credentials.

This preference for APIs, in turn, has brought a new class of cyber threats. Unless your organization is ready to pay close attention to its API environment and defend against the latest advanced threats, you may find your APIs have become a preferred attack target, with new security risks emerging all the time.

The primary way to keep data as safe as possible involves unified API protection, meaning your organization is able to discover its potential attack surface, detect real-time threats and prevent those threats natively, and in real-time. It’s important to not overlook that third step, prevention, especially because some API security products stop short of actually offering countermeasures.

Why is API threat prevention so important?

API threat prevention is such a high priority because of the dire consequences that can result when organizations don’t have adequate defenses in place. Common API-related attacks, such as system compromise due to weak authentication, account takeovers and sensitive data exfiltration can lead to regulatory fines, reputation damage and major monetary losses.

APIs have become popular with both developers and threat actors:

● Of the 21.1 billion application requests measured in the second half of 2021, over two-thirds, 14.4 billion, were API-based.

● Four-fifths of all blocked traffic during the same time period was also API-based.

With APIs powering so many applications and also attracting so much attention from attackers, it’s vitally important for every company to have a threat prevention strategy in place specifically focusing on API attacks.

As common API vulnerability types and risk factors IT security teams can expect to deal with, the Open Web Application Security Project (OWASP) API Security Top 10 list provides a useful primer. The two most popular threats on the list involve threat actors using broken access control features to break into systems. At No. 3 on the list is inadvertent sensitive data exposure due to cryptographic failures. Each of these risks is more often than not the result of coding errors on the back end.

Other issues highlighted by OWASP include misconfigured security features, authentication problems, outdated components and design flaws. With attackers targeting so many aspects of APIs and the applications they power, it’s essential for IT security departments to have comprehensive threat prevention tools in place.

What are the best practices of API threat prevention?

Threat prevention encompasses a few different potential responses to harmful traffic. As soon as an organization detects an attack targeting its APIs, the security solution should counter the incoming traffic with the appropriate action. This could involve:

Blocking the source of the attack.

Rate limiting access to the company’s APIs.

Geo-fencing to block access from certain regions or addresses.

Deception, which makes the attack appear successful.

This response should involve a heavy automation component, to prevent the delays and labor associated with manual processes. Rather than having to formulate a threat prevention response for each instance of malicious activity, an IT security team can trust that customized or default rules and machine learning models will identify the attack and provide the appropriate response.

A well-configured rules and ML engine can not only ensure every attack is met with the correct response, but it can also prevent false positives, in which legitimate API traffic is blocked. This is an important consideration because so much of a given organization’s data interchange will occur via APIs and attackers are adept at making their malicious actions appear legitimate. It’s important to keep the APIs running smoothly while also providing security.

How do you combine API threat detection with prevention?

Seamless integration is the key concept for providing a unified API threat prevention experience.

API threat prevention should also be closely integrated with API discovery and detection tools, ensuring that every risk factor and vulnerability identified by these solution elements receive a timely, appropriate and automated response. The only way to ensure a rapid response is to look for a solution that natively mitigates threats, without the need to rely on 3rd-party security tool integration.

API threat prevention tools that take advantage of this close integration can protect against both known threat types and emerging threats, as cataloged by the API discovery and detection solution components.

With advanced ML-based detection of API threats, it’s possible to tell the system to protect common theft targets such as credit card information and Social Security numbers, but also intellectual property or credentials relevant to their industries.What does Unified API Protection mean?

Unified API Protection goes beyond limited API security tools to address every phase of an organization’s API protection lifecycle.

● First, organizations must discover their entire API attack surface, using both outside-in and inside-out methods to see what attackers will see. This includes finding shadow APIs, deprecated and outdated components and more potential risk factors.

● Then, businesses need to employ real-time API threat detection methods to prevent all kinds of harmful traffic. Systems should be able to guard against both known threats and emerging threats, all according to customized rules.

● Finally, as discussed above, IT security teams require comprehensive API threat prevention tools. These must be capable of providing customized and automated responses based on the type of harmful traffic detected, whether that means blocking, limiting or even deceiving the attack.

Putting these API-focused advanced threat protection components together provides a more comprehensive approach to data defense than would be possible with a web of disconnected API security tools that only deal with parts of today’s varied threat environment.

Considering the overwhelming popularity of API-based development, it’s likely that your organization already maintains numerous APIs, with more to come over time. Protecting that potential attack surface is therefore a fundamental cybersecurity need.

Jason Kent

For over the last 20 years, Jason has been ethically peering into Client Behaviour, Wireless Networks, Web Applications, APIs and Cloud Systems, helping organisations secure their assets and intellectual property from unauthorised access. As a consultant he's taken hundreds of organisations through difficult compliance mine fields, ensuring their safety. As a researcher he has found flaws in consumer IOT systems and assisted in hardening them against external attacks. At Cequence Security Jason does research, community outreach and supports efforts in identifying Automated Attacks against Web, Mobile, and API-based Applications to keep Cequence's customers safe.

Ab Initio partners with BT Group to deliver big data

Luke Conrad • 24th October 2022

AI is becoming an increasingly important element of the digital transformation of many businesses. As well as introducing new opportunities, it also poses a number of challenges for IT teams and the data teams supporting them. Ab Initio has announced a partnership with BT Group to implement its big data management solutions on BT’s internal...

WAICF – Dive into AI visiting one of the most...

Delia Salinas • 10th March 2022

Every year Cannes held an international technological event called World Artificial Intelligence Cannes Festival, better known by its acronym WAICF. One of the most luxurious cities around the world, located on the French Riviera and host of the annual Cannes Film Festival, Midem, and Cannes Lions International Festival of Creativity. 

Bouncing back from a natural disaster with resilience

Amber Donovan-Stevens • 16th December 2021

In the last decade, we’ve seen some of the most extreme weather events since records began, all driven by our human impact on the plant. Businesses are rapidly trying to implement new green policies to do their part, but climate change has also forced businesses to adapt and redefine their disaster recovery approach. Curtis Preston,...