SBN

What’s Needed For Effective API Threat Hunting?

A proactive and systematic threat hunting program is an effective step your organization can take to improve its security posture. Finding and containing threats before they escalate into major incidents will head off adverse business impacts and improve the overall quality of life for your security team.

But most organizations cannot do as much threat hunting as they should be doing. Security teams face relentless waves of reactive triage and response, leaving little time or resources for proactive measures like threat hunting.

This problem escalates if APIs are added to the threat hunting focus. Many organizations are still getting the fundamentals like API discovery and threat detection in place. And even when those capabilities exist, the volume of API data makes it difficult to capture and analyze at scale. In fact, most first-generation API products actually just discard API data as soon as it has been analyzed.

But as the API security industry moves to cloud-scale approaches guided by AI and behavioral analytics, API threat hunting is becoming much more practical. The following are some steps that Neosec customers are taking to move beyond detection to create proactive API threat hunting playbooks.

Capture and store meaningful API data sets

The first thing you need for API threat hunting is a richer and more meaningful data set. If your current API security tools analyze and discard data on the fly your threat hunters won’t have the visibility they need to find active API threats in your environments.

At Neosec, we tap into the scale of the cloud to collect and present API activity and threat data over long windows of time – generally 30 days or more. In addition to enabling more sophisticated detection and response, this data is also tremendously valuable for API threat hunting.

Most API threats develop and escalate gradually. Threat actors generally need to probe for weaknesses, experiment, and iterate their techniques over time to find and exploit API attack vectors. So the first step in creating an effective API threat hunting playbook is to think bigger in terms of how much API data you capture and how long you store it. This ensures that you’re able to connect the individual actions that threat actors are taking to form a complete picture.

Start with a timeline

Find the stories hidden in your API data

Of course, once you begin collecting large volumes of data about your APIs and a

ctivity, it can be challenging for threat hunters to select a place to dive in. Neosec customers generally start their threat hunting activities by picking a point on a rolling timeline.

You can’t possibly analyze every API transaction. But you can zero in on meaningful points in time and then analyze activity flows as a jumping-off point for threat hunting activities.

Sometimes, you get threat intel from an external source, such as a list of IP addresses that is currently launching attacks against others in your vertical. With a few clicks – you can search for their existence in your data, and view their entire activity history.

At other times, you may get a call from one of your partners, complaining about the API behaving in a finicky manner. Being able to easily zero in on the API calls on the partner activity timeline is a lifesaver in such situations and speeds up any investigation.

Your threat hunters can make proactive analysis of the API activity and threat timeline an ongoing discipline. Or, at the very least, they have the API equivalent of a digital video recorder (DVR). When suspicious API activity is detected, or when threat hunters form hypotheses about potential API threats, they can “roll back the tape” on all of your organization’s API activity and security alerts and pick a starting point for deeper investigation.

Link multiple API events into meaningful alerts

Even when threat hunters narrow their focus to a specific point on the timeline, information overload remains a risk. Because API activity is programmatic in nature, the volume and characteristics of individual events often make them impractical for humans to analyze.

Platform-Security-img-4

Neosec helps API threat hunters overcome this challenge in two ways:

  1. Enriching API and activity data with business context
  2. Correlating individual events into meaningful alerts

Translating specific API calls – and the actors involved – into human-understandable terms with relevance to your business makes API threat data much more approachable and useful for threat hunters.

Similarly, correlating the many API calls and threat detection events present in your API activity data into meaningful alerts makes it more practical and efficient for threat hunters to understand what is happening and progress their investigations in constructive ways.

Make API activity data easy to query and investigate

Investigate-and-hunt-img-1

As your threat hunters progress with their investigations, they will likely form hypotheses that require testing and validation. So, it’s important to do more than just provide a feed of alerts. Threat hunters need an easily accessible way to query your underlying API threat data to dig deeper into a specific alert – or look for related threats.

For example, if they are investigating an instance of possible API abuse that uses a specific business partner’s credentials, a logical next step is to perform a query focused on that specific partner that spans a longer time horizon.

Similarly, if a threat hunter discovers abuse of a specific business process, such as invoicing, they will want to zero in on just that activity type but expand their view to a wider time horizon.  And after an attack has been identified – it is important to look for similar attack patterns throughout all API activity data – as attackers often reuse their tactics, techniques and procedures.

In these and many other cases, giving threat hunters an easy way to advance investigations and test hypotheses on the fly will lead to better outcomes.

Engage API threat response playbooks

Platform-Response-img-4

The time and effort that goes into API threat hunting will only yield a payoff if you have systematic ways to turn threat hunting findings into meaningful improvements to your security posture. Therefore, creating playbooks for addressing different types of threats is essential.

These playbooks can take many forms depending on the nature of the threat discovered. But in all cases, you should look for ways to automate the resulting response. This will close the loop on resolution while keeping threat hunters focused on high-value investigatory work.

Examples API threat hunting playbooks include:

  • Alerting security operations to respond to an active attack.
  • Proactively setting a new policy in your API gateway to mitigate a cutoff a newly discovered attack vector.
  • Opening a ticket or bug report with your development team with guidance on how to eliminate an API vulnerability.

Tap into specialized API threat hunting expertise

Neosec’s open architecture makes internal threat hunting teams self-sufficient as they expand their investigatory capabilities to include APIs. But API threat hunting is also an area where access to specialized expertise on demand can be extremely valuable.

Neosec’s ShadowHunt, our managed threat hunting capabilities, are a great way to engage focused API security expertise and generate momentum with your overarching API protection efforts. Our threat hunters act as an extension of your team but bring a level of focus – as well as deep expertise on the Neosec platform – that will improve the effectiveness of your API security team.

Take the first step

While building a robust API threat hunting capability may seem daunting, you can create the necessary foundation in minutes. Visit neosec.com to access a free trial of our 100 percent cloud-based API security platform.

 

 

*** This is a Security Bloggers Network syndicated blog from Blog authored by Neosec Team. Read the original post at: https://www.neosec.com/blog/whats-needed-for-effective-api-threat-hunting