API growth is presenting opportunity for cyber criminals
APIs are big business with the adoption of application programming interfaces (APIs) estimated to grow dramatically this year. According to Forrester Research, commissioned by Imperva, half (49%) of organizations have between 25 and 250 internally published APIs, and 60% have the same number of public APIs, with these numbers set to increase this year.
APIs are regarded as essential to digitalization, enabling applications, containers, and microservices to exchange data and information quickly so customers experience more convenience on their digital devices. In the same Imperva report, more than three-quarters (78%) of business leaders say APIs are important to keep the business competitive, particularly for connecting with customers (88%) and for improving data ownership and management (83%).
This is all great stuff for business productivity and performance, but the flip side is that with this growth in APIs comes greater opportunities for cyber criminals.
In the past 12 months 95% of companies have had an API security incident based on figures from Salt Security, with API attack traffic growing by 681%. API vulnerabilities is costing businesses up to $75bn annually.
How threat actors are utilizing APIs
Last year alone we witnessed some high-profile breaches where hackers utilized API vulnerabilities as an effective attack method. The Optus breach saw 2.1 million users’ personal information stolen, Twitter had 5.4 million users’ data exfiltrated, and Lego’s BrickLink API vulnerability, found by Salt Security, demonstrated the commonality of vulnerabilities inherent in Open API’s.
As we become ever more connected through digital mediums, APIs are becoming part of our daily communications. Once in, APIs act as a route for hackers to obtain business critical information or penetrate laterally through the organizational network.
Attackers gain access to an API relatively easily through several techniques, some more sophisticated than others. Injection attacks, DDoS hacks, authentication hijacking or man in the middle (MITM) attacks are the most common, however, failing to have proper cyber security governance is also a huge contributing factor to the problem.
For at least the last five years shadow IT has been a real problem, not to buck this trend we are finding shadow API is becoming as big an issue. The drivers behind this are from the lack of internal communication between developers, network and security, as well as, having insufficient visibility into the corporate sphere.
Individuals and departments need to conduct their job in the most efficient way possible but publishing APIs without security reviews or controls together with too much internal bureaucracy and governance leads to employees regularly obtaining unsanctioned third-party software or applications, leaving doors unlocked for cyber criminals to crawl through.
How to defend against API cyber attacks
To help keep these API doors firmly shut, there are steps businesses can take.
First and foremost, have a deep understanding of your API infrastructure. Security hygiene is often overlooked but should be a task which is regularly carried out to ensure no missed configurations or patches may have been missed. Patch management tools and vulnerability scanners can help overloaded security and help network teams automate some of these tasks.
Applying a role-based access control policy is a straightforward way to limit an individual or group access to internal resources. You can do this through Zero Trust Network Access (ZTNA), where security teams can quickly apply controls that limit employees to certain internal assets, restricting them only to the data they need to do their job effectively.
Moving to a zero trust architecture limits movement and access of data. There are many principles which make up zero trust, however, in its simplistic form the philosophy is; trust no device or connection on your network and limit the movement between devices and applications by implementing segmentation and authentication throughout every interaction. It works much like an onion by putting additional protections around and in each segment. Employee access can be further limited depending on where the individual is geographically, the device they use, their internal permissions and the data they are trying to acquire.
Secondly, visibility is a given - you can’t defend against what you can’t see, and you can’t take action on vulnerabilities unless you understand what is connected and communicating in your network. Network Detection and Response (NDR) platforms provide great insight into assets on the network and the communication patterns between systems and users. Add in machine learning and you can quickly identify any anomalies or nefarious behavior to take quick, appropriate action.
Collaboration of teams
Ensuring that your SecOps team partners with your DevOps team is key to the integration of automation security testing tools and the benefits of machine learning to differentiate normal API behavior from malicious traffic.
And of course, there are specific tools which can be deployed to monitor and control code being developed by DevOps teams before it is pushed out into the production environment. These systems are controlled and monitored by security but it’s important to give flexibility to DevOps by providing predefined secure code templates or scanning the code prior to its release. These systems can also scan the dependencies connecting to the API to ensure secure connections between containers, operating systems, and applications before it allows the flow of traffic.
Cybersecurity is ever evolving and so are the threats we face with APIs now high on the list of attack methods. It is important for security teams to understand the company infrastructure in detail and the associated threats in their industry to guide them in making the best-informed decisions based on their technology and knowledge gaps. The only way we can reduce our risk is to apply a layered approach.