The Unique TTPs Attackers Use To Target APIs

Uploaded on 2023-09-07 in TECHNOLOGY--Hackers, TECHNOLOGY--Developments, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Application Programming Interfaces (APIs) are the connective tissue for all things digital today and they play an integral role in business and revenue generation. They act as gateways to both highly sensitive Personally Identifiable Information (PII) and operations, such as authentication, authorisation, credit checks, and payment flows, making them a lucrative target for attackers. Consequently, attackers will go to extraordinary lengths to compromise them.

APIs can be exploited in numerous ways and these are well documented by the OWASP Project which has just updated its Top 10 API Security Risks. Perhaps the developer failed to implement authentication mechanisms correctly, allowed the API to share too much information, or configured it wrongly. But even if the developer followed the API specification to the letter and deployed a secure API, this can still be compromised using business logic abuse, which sees the legitimate processing of the API used against itself.

Anomalous Behaviour

Because of this, it’s the attacker’s behaviour that will give them away which means signature-based defences are powerless against API attacks. These behaviours are revealed in the Tactics, Techniques and Procedures (TTPs) used to achieve the attacker’s aims. Tactics refers to the when, what, how of the attack and the overall strategy while techniques are the methods used to obtain those ends. Both together will reveal particular patterns of attack while procedures refers to the step-by-step process the attacker then follows.    

According to the API Protection Report 2H 2002, the number of unique TTPs rose from 2,000 in June to over 11,000 in November of last year, as attackers sought to target APIs and exploit new ones launched ahead of the holiday shopping period at the end of the year. It’s at these times that you can really analyse the TTPs being used and how attackers are manipulating network traffic. Attackers will tweak or modify their payloads, generating unique attack fingerprints.

But how do you tell the difference between an attacker and legitimate web traffic? After all, demand for goods and services during specific holiday seasons always ramps up, leading to huge surges in traffic.

This is a problem because this entropy or randomness provides the attacker with the ideal way to mask their activities and evade detection. They will of course contribute to this entropy level but can hide within it, evading standalone firewalls and volumetric anomaly detecting software.

Tracking TTPs 

Examining the count of TTPs across an attack timeline can reveal the volume and spread of attack payloads related to application, infrastructure, and API security. 

The Cequence threat research team monitored web traffic during the last three months of last year, when entropy was high, revealed a significant spike in unique TTPs, five times higher than normal. These TTPs use fingerprint rotation, that sees the attacker alter each request made to the API just slightly in an attempt to make it more difficult to detect their activity.

Automated or bot traffic also increased, as revealed by the detection of higher volumes of anomalous traffic which was up 220% . Sustained higher traffic volumes also jumper, that is traffic above expected thresholds for an extended timeframe, also jumped 550%. Another key giveaway was the lack of entropy ie randomness, with traffic behaviour being too consistent and perfect to be generated by a human, which was up 450%.

Further analysis of the unique TTPs revealed they had three very specific end goals: account takeover, scraping as both a form of reconnaissance and in order to facilitate data exfiltration, and hunting for business logic flaws that could be used to commit retail, banking or telecom fraud. 

In addition to the unique TTPs, there was a surge in the usual TTPs one would expect, such as account aggregation (the collection and validation of multiple account credentials), layer 3 reputation, layer 3 rotation, session rotation (replacing a user session with a new one and a new ID), and credential stuffing (stolen credentials being used against a target login or registration API). 

Key Takeaways

So, what does this activity tell us? It reveals that attack patterns are not ad-hoc. There’s a clear ramp up in activity but this is not a matter of throwing mud at the wall and seeing how much sticks; these assaults are organised, for the large part automated, and the attacks cycle through various techniques both in order to evade detection and to achieve their end goal. 

Those end goals are for the main part financially motivated, be it the exfiltration of data to then use in further attacks or to carry out fraud. But the high volumetric attacks might also aim to divert or exhaust resources and/or cause outages.

Finally, network traffic is in a state of flux during these peak times and that, together with user entropy, makes it very difficult to monitor, detect and respond to these types of attack. Web Application Firewalls (WAFs) are powerless and anomalous traffic solutions struggle to determine what is genuine and what is malicious activity. Any form of attack analysis and defence has to be behaviour based but it also has to be able to identify and fingerprint those TTPs. 

The rise in both unique and traditional TTPs underscores the importance for organisations to adopt a comprehensive and proactive approach to their API security.

By conducting regular API threat surface assessments, API specification anomaly detection, and implementing real-time automated threat (bot) detection and mitigation measures, businesses can prevent attacks from progressing beyond the reconnaissance stages, limiting the impact of any potential business disruption and security events irrespective of the time of year. 

Andy Mills is VP for EMEA at Cequence Security                                        Image: Champpixs

You Might Also Read:

Perfectly Coded APIs Can Be Susceptible To Attack:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Establishing A Digital Immune System
Can Shortening The Cyber Stack Increase Stability? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Information Security Group (ISG) - Royal Holloway

Information Security Group (ISG) - Royal Holloway

The Information Security Group, Royal Holloway, University of London, is an Academic Centres of Excellence in Cyber Security Research.

HDI

HDI

HDI is the worldwide professional association and certification body for the technical service and support industry.

Momentum

Momentum

The Cyber Security team at Momentum offers a professional and specialist recruitment service across Cyber & IT Security.

Cyber DriveWare

Cyber DriveWare

DriveWare analyzes new traffic in the I/O layer and blocks malware and cyber attacks which organizations have no means to protect against.

Sequitur Labs

Sequitur Labs

Sequitur Labs is developing seminal technologies and solutions to secure and manage connected devices of today and in the future.

SEON Technologies

SEON Technologies

At SEON we strive to help online businesses reduce the costs, time, and challenges faced due to fraud.

DeVry University - Cyber Security Degree

DeVry University - Cyber Security Degree

Explore the dynamic world of data protection with a hybrid or online cyber security degree specialization with DeVry's IT & Networking Bachelor's Degree.

NWN Corp

NWN Corp

NWN Corporation is a leading Cloud Communications Service Provider (CCSP) focused on transforming the customer and workspace experience for commercial, enterprise and public sector organizations.

Graylog

Graylog

Graylog provides answers to your team’s security, application, and IT infrastructure questions by enabling you to combine, enrich, correlate, query, and visualize all your log data in one place.

MainNerve

MainNerve

MainNerve helps secure networks, applications, people, and facilities… enabling businesses to reduce risk and increase their cybersecurity posture.

Trusted Security Solutions (TSS)

Trusted Security Solutions (TSS)

TSS are specialist in IT Security and providing Cybersecurity Solutions & Services combined with storage and backup.

Marlink

Marlink

Marlink smartly integrates hybrid, future-ready network solutions so you can benefit from the best available connectivity and IT to accelerate your digitalisation and empower your remote operations.

Commission Nationale de l'Informatique et des Libertés (CNIL)

Commission Nationale de l'Informatique et des Libertés (CNIL)

The mission of CNIL is to protect personal data, support innovation, and preserve individual liberties.

ClearSky Cyber Security

ClearSky Cyber Security

ClearSky cyber security provides cyber solutions, focused on threat intelligence services, mainly for the financial sector, critical infrastructure, public sector and the pharma sector.

Actelis Networks

Actelis Networks

Actelis Networks is a market leader in cyber-hardened, rapid deployment networking solutions for wide-area IoT applications.

Manifest

Manifest

Manifest is a cybersecurity company dedicated to helping enterprises secure their software supply chains.