The Unique TTPs Attackers Use To Target APIs

Uploaded on 2023-09-07 in TECHNOLOGY--Hackers, TECHNOLOGY--Developments, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Application Programming Interfaces (APIs) are the connective tissue for all things digital today and they play an integral role in business and revenue generation. They act as gateways to both highly sensitive Personally Identifiable Information (PII) and operations, such as authentication, authorisation, credit checks, and payment flows, making them a lucrative target for attackers. Consequently, attackers will go to extraordinary lengths to compromise them.

APIs can be exploited in numerous ways and these are well documented by the OWASP Project which has just updated its Top 10 API Security Risks. Perhaps the developer failed to implement authentication mechanisms correctly, allowed the API to share too much information, or configured it wrongly. But even if the developer followed the API specification to the letter and deployed a secure API, this can still be compromised using business logic abuse, which sees the legitimate processing of the API used against itself.

Anomalous Behaviour

Because of this, it’s the attacker’s behaviour that will give them away which means signature-based defences are powerless against API attacks. These behaviours are revealed in the Tactics, Techniques and Procedures (TTPs) used to achieve the attacker’s aims. Tactics refers to the when, what, how of the attack and the overall strategy while techniques are the methods used to obtain those ends. Both together will reveal particular patterns of attack while procedures refers to the step-by-step process the attacker then follows.    

According to the API Protection Report 2H 2002, the number of unique TTPs rose from 2,000 in June to over 11,000 in November of last year, as attackers sought to target APIs and exploit new ones launched ahead of the holiday shopping period at the end of the year. It’s at these times that you can really analyse the TTPs being used and how attackers are manipulating network traffic. Attackers will tweak or modify their payloads, generating unique attack fingerprints.

But how do you tell the difference between an attacker and legitimate web traffic? After all, demand for goods and services during specific holiday seasons always ramps up, leading to huge surges in traffic.

This is a problem because this entropy or randomness provides the attacker with the ideal way to mask their activities and evade detection. They will of course contribute to this entropy level but can hide within it, evading standalone firewalls and volumetric anomaly detecting software.

Tracking TTPs 

Examining the count of TTPs across an attack timeline can reveal the volume and spread of attack payloads related to application, infrastructure, and API security. 

The Cequence threat research team monitored web traffic during the last three months of last year, when entropy was high, revealed a significant spike in unique TTPs, five times higher than normal. These TTPs use fingerprint rotation, that sees the attacker alter each request made to the API just slightly in an attempt to make it more difficult to detect their activity.

Automated or bot traffic also increased, as revealed by the detection of higher volumes of anomalous traffic which was up 220% . Sustained higher traffic volumes also jumper, that is traffic above expected thresholds for an extended timeframe, also jumped 550%. Another key giveaway was the lack of entropy ie randomness, with traffic behaviour being too consistent and perfect to be generated by a human, which was up 450%.

Further analysis of the unique TTPs revealed they had three very specific end goals: account takeover, scraping as both a form of reconnaissance and in order to facilitate data exfiltration, and hunting for business logic flaws that could be used to commit retail, banking or telecom fraud. 

In addition to the unique TTPs, there was a surge in the usual TTPs one would expect, such as account aggregation (the collection and validation of multiple account credentials), layer 3 reputation, layer 3 rotation, session rotation (replacing a user session with a new one and a new ID), and credential stuffing (stolen credentials being used against a target login or registration API). 

Key Takeaways

So, what does this activity tell us? It reveals that attack patterns are not ad-hoc. There’s a clear ramp up in activity but this is not a matter of throwing mud at the wall and seeing how much sticks; these assaults are organised, for the large part automated, and the attacks cycle through various techniques both in order to evade detection and to achieve their end goal. 

Those end goals are for the main part financially motivated, be it the exfiltration of data to then use in further attacks or to carry out fraud. But the high volumetric attacks might also aim to divert or exhaust resources and/or cause outages.

Finally, network traffic is in a state of flux during these peak times and that, together with user entropy, makes it very difficult to monitor, detect and respond to these types of attack. Web Application Firewalls (WAFs) are powerless and anomalous traffic solutions struggle to determine what is genuine and what is malicious activity. Any form of attack analysis and defence has to be behaviour based but it also has to be able to identify and fingerprint those TTPs. 

The rise in both unique and traditional TTPs underscores the importance for organisations to adopt a comprehensive and proactive approach to their API security.

By conducting regular API threat surface assessments, API specification anomaly detection, and implementing real-time automated threat (bot) detection and mitigation measures, businesses can prevent attacks from progressing beyond the reconnaissance stages, limiting the impact of any potential business disruption and security events irrespective of the time of year. 

Andy Mills is VP for EMEA at Cequence Security                                        Image: Champpixs

You Might Also Read:

Perfectly Coded APIs Can Be Susceptible To Attack:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Establishing A Digital Immune System
Can Shortening The Cyber Stack Increase Stability? »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Mimecast

Mimecast

Mimecast delivers cloud-based email management for Microsoft Exchange and Microsoft Office 365 including archiving, continuity and security.

CERT-IS

CERT-IS

CERT-IS is the national Computer Emergency Response Team for Iceland.

Efecte

Efecte

Efecte is a Nordic SaaS company specialized in IT Service Management, Self-Service, Identity Management and Access Governance solutions.

Acalvio Technologies

Acalvio Technologies

Acalvio provides Advanced Threat Defense (ATD) solutions to detect, engage and respond to malicious activity inside the perimeter.

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER) - USA

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER) - USA

The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today.

Cybercrime Investigation & Coordinating Center (CICC) - Philippines

Cybercrime Investigation & Coordinating Center (CICC) - Philippines

The Cybercrime Investigation and Coordinating Center (CICC) is an attached agency of the Philippines Department of Information and Communications Technology (DICT).

Combis

Combis

COMBIS is a regional high-tech ICT company focused on the development of application, communication, security and system solutions and the provision of services.

CyCognito

CyCognito

CyCognito empowers companies to take full control over their attack surface by uncovering and eliminating the critical security risks they didn't even know existed.

Rocheston

Rocheston

Rocheston is an innovation company with cutting-edge research and development in emerging technologies such as Cybersecurity, Internet of Things, Big Data and automation.

Bolt Learning

Bolt Learning

Bolt's Cyber Security eLearning module provides users with an in-depth understanding of cybercrime, how it can occur and what everyone can contribute to preventing it.

Saporo

Saporo

Saporo helps organizations increase their cyber-resistance. Continuously map your attack surface and get the recommendations you need to make your organization more resistant to attacks.

Gunnison Consulting Group

Gunnison Consulting Group

Gunnison Consulting Group serves the Federal Government with high quality IT consulting services.

LogicGate

LogicGate

The LogicGate Risk Cloud™ is an agile GRC cloud solution that combines powerful functionality with intuitive design to enhance enterprise GRC programs.

Avalor

Avalor

Avalor are on a mission to help security teams make faster, more accurate decisions by making sense of their data. With Avalor you can bring in data from anywhere, normalize it and analyze it.

Acumenis

Acumenis

At Acumenis, we help organisations of all sizes to manage information security effectively. Our key services are penetration testing, ISO 27001 implementations, and security

CR Group

CR Group

CR Group is a Swedish-owned, cyber-security company oriented towards the European market. We offer solutions for vital societal functions that are both easy-to-buy and easy-to-use.