The Unique TTPs Attackers Use To Target APIs

Uploaded on 2023-09-07 in TECHNOLOGY--Hackers, TECHNOLOGY--Developments, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Application Programming Interfaces (APIs) are the connective tissue for all things digital today and they play an integral role in business and revenue generation. They act as gateways to both highly sensitive Personally Identifiable Information (PII) and operations, such as authentication, authorisation, credit checks, and payment flows, making them a lucrative target for attackers. Consequently, attackers will go to extraordinary lengths to compromise them.

APIs can be exploited in numerous ways and these are well documented by the OWASP Project which has just updated its Top 10 API Security Risks. Perhaps the developer failed to implement authentication mechanisms correctly, allowed the API to share too much information, or configured it wrongly. But even if the developer followed the API specification to the letter and deployed a secure API, this can still be compromised using business logic abuse, which sees the legitimate processing of the API used against itself.

Anomalous Behaviour

Because of this, it’s the attacker’s behaviour that will give them away which means signature-based defences are powerless against API attacks. These behaviours are revealed in the Tactics, Techniques and Procedures (TTPs) used to achieve the attacker’s aims. Tactics refers to the when, what, how of the attack and the overall strategy while techniques are the methods used to obtain those ends. Both together will reveal particular patterns of attack while procedures refers to the step-by-step process the attacker then follows.    

According to the API Protection Report 2H 2002, the number of unique TTPs rose from 2,000 in June to over 11,000 in November of last year, as attackers sought to target APIs and exploit new ones launched ahead of the holiday shopping period at the end of the year. It’s at these times that you can really analyse the TTPs being used and how attackers are manipulating network traffic. Attackers will tweak or modify their payloads, generating unique attack fingerprints.

But how do you tell the difference between an attacker and legitimate web traffic? After all, demand for goods and services during specific holiday seasons always ramps up, leading to huge surges in traffic.

This is a problem because this entropy or randomness provides the attacker with the ideal way to mask their activities and evade detection. They will of course contribute to this entropy level but can hide within it, evading standalone firewalls and volumetric anomaly detecting software.

Tracking TTPs 

Examining the count of TTPs across an attack timeline can reveal the volume and spread of attack payloads related to application, infrastructure, and API security. 

The Cequence threat research team monitored web traffic during the last three months of last year, when entropy was high, revealed a significant spike in unique TTPs, five times higher than normal. These TTPs use fingerprint rotation, that sees the attacker alter each request made to the API just slightly in an attempt to make it more difficult to detect their activity.

Automated or bot traffic also increased, as revealed by the detection of higher volumes of anomalous traffic which was up 220% . Sustained higher traffic volumes also jumper, that is traffic above expected thresholds for an extended timeframe, also jumped 550%. Another key giveaway was the lack of entropy ie randomness, with traffic behaviour being too consistent and perfect to be generated by a human, which was up 450%.

Further analysis of the unique TTPs revealed they had three very specific end goals: account takeover, scraping as both a form of reconnaissance and in order to facilitate data exfiltration, and hunting for business logic flaws that could be used to commit retail, banking or telecom fraud. 

In addition to the unique TTPs, there was a surge in the usual TTPs one would expect, such as account aggregation (the collection and validation of multiple account credentials), layer 3 reputation, layer 3 rotation, session rotation (replacing a user session with a new one and a new ID), and credential stuffing (stolen credentials being used against a target login or registration API). 

Key Takeaways

So, what does this activity tell us? It reveals that attack patterns are not ad-hoc. There’s a clear ramp up in activity but this is not a matter of throwing mud at the wall and seeing how much sticks; these assaults are organised, for the large part automated, and the attacks cycle through various techniques both in order to evade detection and to achieve their end goal. 

Those end goals are for the main part financially motivated, be it the exfiltration of data to then use in further attacks or to carry out fraud. But the high volumetric attacks might also aim to divert or exhaust resources and/or cause outages.

Finally, network traffic is in a state of flux during these peak times and that, together with user entropy, makes it very difficult to monitor, detect and respond to these types of attack. Web Application Firewalls (WAFs) are powerless and anomalous traffic solutions struggle to determine what is genuine and what is malicious activity. Any form of attack analysis and defence has to be behaviour based but it also has to be able to identify and fingerprint those TTPs. 

The rise in both unique and traditional TTPs underscores the importance for organisations to adopt a comprehensive and proactive approach to their API security.

By conducting regular API threat surface assessments, API specification anomaly detection, and implementing real-time automated threat (bot) detection and mitigation measures, businesses can prevent attacks from progressing beyond the reconnaissance stages, limiting the impact of any potential business disruption and security events irrespective of the time of year. 

Andy Mills is VP for EMEA at Cequence Security                                        Image: Champpixs

You Might Also Read:

Perfectly Coded APIs Can Be Susceptible To Attack:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Establishing A Digital Immune System
Can Shortening The Cyber Stack Increase Stability? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Computer & Communications Industry Association (CCIA)

Computer & Communications Industry Association (CCIA)

CCIA supports efforts to facilitate and streamline information sharing on cyber threats between the private sector and the Federal Government.

2Secure

2Secure

2Secure is one of Sweden's largest private security companies. Service inlcude personal security, corporate security, information and cyber security.

SecurityScorecard

SecurityScorecard

SecurityScorecard provides the most accurate security ratings & continuous risk monitoring for vendor and third party risk management.

Seric Systems

Seric Systems

Seric is a technology business specialising in security, infrastructure and data management.

Synelixis Solutions

Synelixis Solutions

Synelixis Solutions is a high-tech company founded to provide complete telecommunications, networking, security, control and automation solutions.

Genians

Genians

Genians provides the industry’s leading Network Access Control (NAC) solution, which ensures full visibility of all IP-enabled devices regardless of whether they are wired, wireless, or virtual.

Westminster Insight - Cyber Security Conference

Westminster Insight - Cyber Security Conference

Join colleagues this December for Westminster Insight’s Cyber Security Conference, as you’ll assess how new technologies such as AI can secure your organisation against future threats.

Pentera Security

Pentera Security

Pentera (formerly Pcysys) is focused on the inside threat. Our automated penetration-testing platform mimics the hacker's attack - automating the discovery of vulnerabilities.

Corsha

Corsha

Corsha is on a mission to simplify API security and allow enterprises to embrace modernization, complex deployments, and hybrid environments with confidence.

Nucleus Security

Nucleus Security

Nucleus is a leading Vulnerability Management platform for Large Enterprises, MSPs/MSSPs, and Application Security Teams that want more from their vulnerability management tools.

Edureka

Edureka

Edureka is an online technology training provider with the most effective learning system in the world. We help professionals learn trending technologies for career growth.

Exabeam Cyberversity

Exabeam Cyberversity

Exabeam Cyberversity is a philanthropic program to help aspiring cybersecurity professionals navigate career options and increase industry-wide diversity through knowledge sharing and networking.

Swissbit

Swissbit

Swissbit AG is the leading European manufacturer of storage, security and embedded IoT solutions for demanding applications.

Eureka Security

Eureka Security

Eureka help organizations securely use any cloud data storage technology they need without having to compromise on security.

Primus Institute of Technology

Primus Institute of Technology

At Primus Institute of Technology our mission is to inspire, support, and empower current and aspiring IT professionals through training and career development workshops.

Cyber Octet

Cyber Octet

Cyber Octet is an IT Solution, Security, Training and Services company. We provide training and services from Web Application Security to ISO 27001 implementation.