API becomes the first choice for malicious attacks in 2022. How can enterprises protect API security?

With the vigorous development of cloud computing, mobile Internet, and the Internet of Things, more and more application development is deeply dependent on mutual calls between APIs. Especially after the normalization of the epidemic, online applications such as collaborative office, online education, and live short videos have flourished. APIs can not only connect services, but also be used to transmit data. As the absolute number of APIs continues to grow, the amount of data transmitted through APIs is also growing rapidly. According to Ruishu Information's "2021 Bots Automation Threat Report", as a lightweight technology, API is highly favored by corporate organizations worldwide, and application interfaces have shown explosive growth. Compared with 2019, API traffic in 2020 increased by 2.8 times year-on-year, and 44% of companies are building and maintaining 100 or more APIs.

At the same time, APIs are becoming a key target for attackers. According to Salt Security's "State of API Security Report, Q3 2021", in the first half of 2021, overall API traffic increased by 141%, while API attack traffic increased by 348%. Attack traffic against APIs is growing at three times the rate of normal API traffic. The report also found that security issues topped the list of concerns for API projects, and few respondents felt confident in identifying and preventing API attacks.

This is because the widespread use and linking of APIs provide a wide attack surface for malicious attackers. Once an API is successfully attacked, a large amount of core business logic and sensitive data of the enterprise can be obtained. In addition, many enterprises do not know how many APIs they have, and cannot guarantee that each API has good access control. Forgotten shadow APIs and zombie APIs provide attackers with easy opportunities. Compared with traditional Web forms, attacking APIs is cheaper and more valuable.

Because of this, many heavyweight API attack incidents occurred in 2021, which aroused widespread attention from all walks of life. For example: hackers invaded the data of more than 700 million LinkedIn users through API vulnerabilities and sold the data on the dark web; hackers attacked the API security vulnerabilities of the Parler website and illegally obtained more than 60TB of data from 10 million users; Clubhouse leaked 1.3 million user records due to API security vulnerabilities.

It can be predicted that attacks against APIs will become the first choice of malicious attackers in 2022. More and more hackers will use APIs to steal sensitive data and commit business fraud. It is imperative to build a security protection system for APIs.

Under emerging network threats, the limitations of traditional API gateways are highlighted

A grim fact is that the authorization and authentication system of API has been relatively complete, but the control of access after authorization is relatively weak. The granularity of control varies according to the business needs of the API interface. While it brings convenience to access, it may also be maliciously exploited, bringing the risk of information leakage and abuse. API was originally designed for program calls and is naturally a tool behavior. The abuse of APIs under legal authorization using automated tools has become a difficult problem for API attacks. From the perspective of API providers, for the convenience of use and management, excessive API openness and wide API call parameter returns may be maliciously exploited and may also invisibly cause the risk of information leakage and abuse. Therefore, the security mechanisms such as identity authentication, permission control, rate limiting, and request content verification provided by traditional API security gateways are almost useless.

For example, the identity authentication mechanism may have security risks such as single-factor authentication, no password strength requirements, and plain text password transmission, while the access authorization mechanism risk is usually manifested in the user's rights being greater than what they actually need. At the same time, even if mechanisms such as identity authentication, access authorization, and sensitive data protection are established, it is sometimes still impossible to prevent attackers from circumventing rate limits by using machines to simulate normal user behavior and using a large number of proxy IPs to carry out large-scale attacks.

In today's open Internet scenario, API applications and deployments are aimed at different user groups such as individuals, enterprises, and organizations. They are one of the main targets of external network attacks, so we need to be vigilant against external security threats. Common network attacks against APIs include: replay attacks, DDoS attacks, injection attacks, session cookie tampering, man-in-the-middle attacks, content tampering, parameter tampering, etc. These new security threats are becoming more complex, diverse, hidden, and automated.

However, with the increasing openness of the API access environment, the rapid increase in the number of APIs, and the rapid changes in the API itself, early protection technologies, such as traditional rule-based WAF protection technology and API gateway identity authentication and authorization technology, can no longer meet the existing protection needs for security issues such as API interface abuse, unauthorized access, zombie APIs, and information leakage. A new generation of integrated protection systems based on dynamic technology, Bots identification, and behavioral analysis are gradually emerging.

Ruishu API Security Management Platform helps enterprises win the battle to protect API

Unlike many security vendors that approach the API security gateway, Ruishu Information uses behavioral analysis technology supported by AI as a breakthrough point and launches an emerging API fusion protection solution - Ruishu API Security Management Platform (API BotDefender), which integrates API asset discovery, attack detection, parameter compliance detection, behavior detection, sensitive data identification, abnormal behavior interception and disposal and other functions, covering the entire chain from asset discovery to interception and disposal.

Specifically, Ruishu API security management platform (API BotDefender) includes four major modules: API asset management, attack protection, sensitive data management and access behavior management. Each module can work independently or collaboratively to provide a complete security management solution for API interfaces.

API Asset Management

As the number of APIs grows so fast, many companies are not clear about how many APIs they have and what status the APIs are in. Without in-depth API asset analysis, security teams cannot understand the true asset status of enterprise APIs, nor can they estimate the risk of data exposure.

Therefore, Ruishu Information introduced API asset management, which automatically discovered API interfaces in the traffic by analyzing the access traffic, and automatically identified, sorted and grouped the API interfaces. At the same time, by obtaining API registration data from the API gateway and comparing it with API assets, unknown API interfaces can be discovered.

API Attack Protection

Through automated and diversified API network attacks, hackers can not only consume system resources and interrupt services, but also master API applications and deployments through reverse engineering, monitor unencrypted data transmission, and steal corporate data.

In response to this, Ruishu Information uses an intelligent threat detection engine that combines intelligent rule matching and behavior analysis to continuously monitor and analyze traffic behavior and effectively detect threat attacks. The intelligent threat detection engine can collect data during the interaction between users and applications, and use statistical models to determine HTTP request anomalies. Once an abnormal situation is determined, the intelligent engine will use multiple threat models obtained by machine learning to determine abnormal attacks and provide real-time protection against security attacks. At the same time, compliance control is performed on API request parameters, and non-compliant request parameters are controlled in real time.

Sensitive data control

If the enterprise does not desensitize sensitive information and other data, and does not encrypt the transmission, once the traffic is intercepted and cracked, it will have a serious impact on the rights and interests of the enterprise and citizens. In addition, when the un-desensitized data is transmitted to the front end, if it is cached by the receiving terminal, it may also lead to the exposure of sensitive data.

Ruishu API Security Management Platform (API BotDefender) will therefore identify and filter sensitive data such as mobile phone numbers, bank card numbers, ID card numbers, etc. during API transmission, and can desensitize or intercept sensitive data in real time to avoid data security risks.

Access behavior control module

Nowadays, most API attacks are carried out by logging in with legitimate identities, simulating normal operations and multi-source low-frequency requests, so it is difficult for enterprises to detect whether the access behavior is abnormal.

Ruishu API Security Management Platform (API BotDefender) monitors and analyzes the access behavior of API interfaces by establishing multi-dimensional access baselines and API threat modeling. On the one hand, it monitors the deviation of the baseline and protects against high-frequency situations to prevent API performance bottlenecks caused by high-frequency situations; on the other hand, it efficiently identifies abnormal access behaviors to avoid business losses caused by malicious access.

At the same time, in order to prevent illegal API calls, Ruishu API Security Management Platform (API BotDefender) obtains API authentication and authorization data from the API gateway to prevent unauthorized API calls and ensure that the API interface can only be accessed by legitimate users.

In general, compared with traditional API security solutions, Ruishu API Security Management Platform (API BotDefender) emphasizes the improvement of API security protection capabilities, and implements full-process API security threat protection from API access clients to API servers based on behavioral analysis. Its advantages are also very obvious:

Fully automatic API discovery

The "Discover Module" of Ruishu API Security Management Platform (API BotDefender) can quickly and automatically discover APIs and give clear identification for the discovered APIs; at the same time, it displays a clear API list, so that the access status of the API interface is clear at a glance.

Building an API Profile

Ruishu API security management and control platform (API BotDefender) adopts full-process security threat protection technology, which is conducive to the accurate construction of API portraits; through API portraits, you can quickly preview the API status of each business, including usage, abnormal situations, access sources, etc.

API Omnichannel Awareness

Provides various SDKs to facilitate integration with various API source applications, and can perceive the source environment and user behavior.

Dynamic response protection

Dynamic response protection can be performed based on the results of behavioral analysis or specified conditions, increasing the difficulty of attack methods such as reverse detection or machine learning analysis.

In addition, the deployment method of Ruishu API Security Management Platform (API BotDefender) is very flexible, supporting software, hardware and cloud deployment, which can greatly reduce the deployment, management and maintenance costs. At the same time, it takes up less resources, does not affect the normal operation of the server, and can achieve application-unaware deployment.

At present, Ruishu Information's products have been successfully applied in the three major industries of finance, government, and operators with its outstanding technical strength and protection capabilities. The "Ruishu API Security Management Solution" won the "2021 Financial Industry New Technology Application Innovation Outstanding Contribution Award", which shows that industry customers fully recognize Ruishu's technical innovation capabilities and excellent application effects. Today, as API security is becoming increasingly important, API security products such as Ruishu API BotDefender, which have advanced protection strategies and innovative technologies, can better help enterprises deal with unknown threats, securely control APIs, and ensure the normal and efficient operation of the business.