The Unique TTPs Attackers Use To Target APIs

Uploaded on 2023-09-07 in TECHNOLOGY--Hackers, TECHNOLOGY--Developments, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Application Programming Interfaces (APIs) are the connective tissue for all things digital today and they play an integral role in business and revenue generation. They act as gateways to both highly sensitive Personally Identifiable Information (PII) and operations, such as authentication, authorisation, credit checks, and payment flows, making them a lucrative target for attackers. Consequently, attackers will go to extraordinary lengths to compromise them.

APIs can be exploited in numerous ways and these are well documented by the OWASP Project which has just updated its Top 10 API Security Risks. Perhaps the developer failed to implement authentication mechanisms correctly, allowed the API to share too much information, or configured it wrongly. But even if the developer followed the API specification to the letter and deployed a secure API, this can still be compromised using business logic abuse, which sees the legitimate processing of the API used against itself.

Anomalous Behaviour

Because of this, it’s the attacker’s behaviour that will give them away which means signature-based defences are powerless against API attacks. These behaviours are revealed in the Tactics, Techniques and Procedures (TTPs) used to achieve the attacker’s aims. Tactics refers to the when, what, how of the attack and the overall strategy while techniques are the methods used to obtain those ends. Both together will reveal particular patterns of attack while procedures refers to the step-by-step process the attacker then follows.

According to the API Protection Report 2H 2002, the number of unique TTPs rose from 2,000 in June to over 11,000 in November of last year, as attackers sought to target APIs and exploit new ones launched ahead of the holiday shopping period at the end of the year. It’s at these times that you can really analyse the TTPs being used and how attackers are manipulating network traffic. Attackers will tweak or modify their payloads, generating unique attack fingerprints.

But how do you tell the difference between an attacker and legitimate web traffic? After all, demand for goods and services during specific holiday seasons always ramps up, leading to huge surges in traffic.

This is a problem because this entropy or randomness provides the attacker with the ideal way to mask their activities and evade detection. They will of course contribute to this entropy level but can hide within it, evading standalone firewalls and volumetric anomaly detecting software.

Tracking TTPs

Examining the count of TTPs across an attack timeline can reveal the volume and spread of attack payloads related to application, infrastructure, and API security.

The Cequence threat research team monitored web traffic during the last three months of last year, when entropy was high, revealed a significant spike in unique TTPs, five times higher than normal. These TTPs use fingerprint rotation, that sees the attacker alter each request made to the API just slightly in an attempt to make it more difficult to detect their activity.

Automated or bot traffic also increased, as revealed by the detection of higher volumes of anomalous traffic which was up 220% . Sustained higher traffic volumes also jumper, that is traffic above expected thresholds for an extended timeframe, also jumped 550%. Another key giveaway was the lack of entropy ie randomness, with traffic behaviour being too consistent and perfect to be generated by a human, which was up 450%.

Further analysis of the unique TTPs revealed they had three very specific end goals: account takeover, scraping as both a form of reconnaissance and in order to facilitate data exfiltration, and hunting for business logic flaws that could be used to commit retail, banking or telecom fraud.

In addition to the unique TTPs, there was a surge in the usual TTPs one would expect, such as account aggregation (the collection and validation of multiple account credentials), layer 3 reputation, layer 3 rotation, session rotation (replacing a user session with a new one and a new ID), and credential stuffing (stolen credentials being used against a target login or registration API).

Key Takeaways

So, what does this activity tell us? It reveals that attack patterns are not ad-hoc. There’s a clear ramp up in activity but this is not a matter of throwing mud at the wall and seeing how much sticks; these assaults are organised, for the large part automated, and the attacks cycle through various techniques both in order to evade detection and to achieve their end goal.

Those end goals are for the main part financially motivated, be it the exfiltration of data to then use in further attacks or to carry out fraud. But the high volumetric attacks might also aim to divert or exhaust resources and/or cause outages.

Finally, network traffic is in a state of flux during these peak times and that, together with user entropy, makes it very difficult to monitor, detect and respond to these types of attack. Web Application Firewalls (WAFs) are powerless and anomalous traffic solutions struggle to determine what is genuine and what is malicious activity. Any form of attack analysis and defence has to be behaviour based but it also has to be able to identify and fingerprint those TTPs.

The rise in both unique and traditional TTPs underscores the importance for organisations to adopt a comprehensive and proactive approach to their API security.

By conducting regular API threat surface assessments, API specification anomaly detection, and implementing real-time automated threat (bot) detection and mitigation measures, businesses can prevent attacks from progressing beyond the reconnaissance stages, limiting the impact of any potential business disruption and security events irrespective of the time of year.

Andy Mills is VP for EMEA at Cequence Security Image: Champpixs

You Might Also Read:

Perfectly Coded APIs Can Be Susceptible To Attack:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.