SBN

How to Get API Threat Hunting Off the Ground

This is the fourth and final post of our blog series on the importance of API threat hunting – and how to get your own API threat hunting program off the ground. If you haven’t already, check out the other posts in this series:

In this concluding post, let’s explore the steps that most organizations are taking to protect their APIs today – and what critical pieces are missing to detect the types of sophisticated attack techniques described in the real-world examples from our last two posts.

 

What steps do organizations take today to protect their APIs?
 

Many organizations approach API security by focusing on these three pillars:

  • Centralized Authorization – First, implementing a centralized authorization engine for all API access ports will reduce API vulnerability risk by heading off mistakes in development that result in flawed authorization mechanisms.
  • API Testing – A second important practice is API testing. Testing for all vulnerabilities, especially broken authorization, using both static code analysis and dynamic testing, will surface issues early in the development process. This increases the chances that they will be remediated before they are deployed to production and potentially discovered by a threat actor.
  • Runtime Protections – The third foundational pillar is a set of runtime protections for the production environment. Even the most proactive teams won’t catch every vulnerability in advance of deployment. So, it’s essential to inspect user access to production data and prevent exploitation of known categories of vulnerabilities to the extent possible.

These three practices provide an excellent foundation for your API security strategy. But it’s also important to remember that they aren’t perfect or comprehensive. For example, even organizations with centralized authorization do not have a guarantee that developers will always follow best practices. API testing can cause information overload, and prioritization can be challenging in light of all of the daily demands on development and security teams. And finally, existing application protection tools are often good at detecting known attack patterns but less capable of detecting more nuanced threats like the BOLA vulnerabilities we covered in this series.

How can you build on this foundation with more advanced API threat detection techniques?

One of the keys to detecting and mitigating BOLA and other nuanced API vulnerabilities is to model the relationships between the entities involved in API activity. This includes actors, such as users, trying to access resources, in addition to the resources themselves. If you can map these connections between the actor entities and business process entities interacting with an API, it unlocks the ability to differentiate between legitimate and illegitimate activity when analyzing otherwise identical API events.

For a more detailed overview of this concept and how it applies to the Uber and Scoolio examples we shared in our previous posts, check out this excerpt from our recent webinar, “API Threat Hunting: Anatomy of an API Attack.”

 

HubSpot Video

Click here to watch the complete webinar replay.

Where to start

The approaches and techniques shown in the clip above may seem like a leap from where you are today with your API practices, but closing the gap isn’t as hard as it appears. The best way to get started is by focusing on three core objectives:

API Security Recommendations

You can’t protect APIs that you don’t know about. So effective API protection starts with an up-to-date API inventory and security posture assessment. Similarly, as you develop your API security monitoring capabilities, it’s important to extend them to both production and non-production API implementations. And most importantly, your API monitoring and enforcement must extend beyond actions alone and consider the relationships between the entities involved in your API activity. This will allow you to find vulnerabilities and protection gaps and enforce compliance with intended API usage models. Understanding behavior within your APIs will allow you to see any abuse.

If this approach resonates with you, Neosec can help guide you along this journey.

Request a free trial of the Neosec platform today to see how we can connect the dots across all of your API activity and relationships and mitigate the risks outlined in this blog series.

 

In the meantime, we also encourage you to check out the full replay of the API threat hunting webinar excerpted above.

 

 

Additional Reading in our API Threat Hunting Series:

 

*** This is a Security Bloggers Network syndicated blog from Blog authored by Tal Leibovich. Read the original post at: https://www.neosec.com/blog/how-to-get-api-threat-hunting-off-the-ground