Last year, attacks using vulnerabilities in applications and application protocol interfaces reached record highs, according to security company Akamai in its new State of the Internet report. The firm said several common vulnerabilities and CVEs — common vulnerabilities — persisted last year on the heels of the well-known Log4Shell, ProxyNotShell, Spring4Shell and Atlassian Confluence remote code executions. The company pointed out that the inclusion of API vulnerabilities in the Open Web Application Security Project’s upcoming API Security Top 10 release reflects growing awareness of API security risks.
Content delivery network and cloud services provider Akamai, which recently acquired API security firm Neosec in a deal expected to close in the next two weeks, is joining the API security ecosystem. The strategy is one that Rupesh Chokshi, the senior vice president and general manager of application security at Akamai, said puts the company in a hyper-competitive and hyper-fragmented vertical.
“There are lots of players in this space and a different angle everyone is taking,” Chokshi told TechRepublic at Akamai’s booth at the RSA conference in San Francisco. “What we need to do as an industry is more centralization of education: what are the threat vectors, the attack surfaces, how are adversaries attacking. A lot of the customers’ questions have been around discovery and visibility.”
Visibility and depth are key
“The journey is simple for the customer,” said Chokshi. “The journey starts with ‘give me visibility, discovery, alerts and can you go deeper into my application types, and provide more inline protection: can you help me fight the attack, shut it down and protect it?’ What I find interesting is when I talk to customers, in general, API management, traction, tooling and security constitutes a massive space where customers are looking for how to keep up, maintain my inventory and understand my applications. How do I know which ones are even within my data center, because the whole architecture is modular, with microservices, a lot of cloud native apps. With digital transformation, we are continuing to be in an even more connected economy and the whole supply chain is heavily digitized and dependent on APIs.”
API threats grow with API volume
Akamai noted companies use an average of 1,061 apps and, to give a sense of the scope of attacks, noted that there were 161 million API attacks on Oct. 8, 2022 and peaked on Oct. 9. Akamai’s report attributed growth in attacks to faster app development lifecycle and production cycle. Indeed, as Akamai noted, an Enterprise Strategy Group survey reported that nearly half of organizations said they release vulnerable apps into production because of time constraints.
The company reported an increase in the accidental release of vulnerabilities, with one in 10 vulnerabilities in the high or critical category found in internet-facing applications. In addition, the number of open-source vulnerabilities like Log4Shell doubled between 2018 and 2020, with attacks in many cases beginning within 24 hours of vulnerability release.
Attack vectors in 2023
Akamai’s report asserted that local file inclusion, or LFI, a vulnerability due to programmer error, is the vector driving the most growth in web application and API attacks, as it is used by adversaries mainly for reconnaissance or to scan for vulnerable targets. The report said that LFI vulnerabilities sometimes let attackers obtain log file data that could help them breach deeper parts of the network.
According to the report, these were the major API risks:
- There were 14 million server-side request forgery, or SSRF, attempts daily against customer web applications and APIs last year.
- Because of open-source vulnerabilities like Log4Shell, Akamai predicts growth in server-side template injection, or SSTI, techniques that allow remote code execution by injecting code into a template.
- Attacks on medical IoT devices grew 82% last year, and Akamai said it expects that trend to continue.
“As we continue to be in an even more connected economy, the API is the link that needs to be looked at heavily. A lot of these transactions are high velocity. At high pace, you want that infrastructure to work,” Chokshi said.
A November 2022 report from consultancy Gartner noted that the explosive growth of APIs is expanding that attack surface, giving malicious actors new breach and data exfiltration opportunities. It noted that the wide dispersion of APIs and their lack of homogeneity challenges a defense-in-depth approach to security. “This is being driven by modern application architecture, development, deployment and integration patterns,” the report noted.
The report also suggested that less mature organizations have less visibility into their API surfaces because they lump API security into general web application security and therefore invest in firewalls, DDoS protection and other types of general perimeter protection. “This naive approach prevents them from fully understanding and securing their API landscape,” the report stated.
Chokshi said because of the sheer volume of data traveling across APIs, security requires the application of AI-powered analytics.
“It’s difficult to know how much of that traffic constitutes a threat, and that is where the detection secret sauce comes into play, a combination of machine learning, AI models and behavior analytics. The processing power you need is significant because you want to take billions of transactions, sift through it and identify issues and quickly alert customers. That’s where the industry has evolved and focused on innovation,” he said.
Gartner, in its report on tackling API security, recommends to:
- Catalog and classify APIs, both internal and external, to inform a proper risk assessment and enable engagement with API owners and delivery teams.
- Assess risk based on various API characteristics including data sensitivity, business criticality, and customer impact.
- Fill gaps in web applications and API protection to improve API security.
- Implement continuous discovery of APIs and integrate with API management platforms to ensure consistent visibility.
- Integrate API security into the software development life cycle to create a security-conscious culture and processes.
- To that end, work with software engineering teams to enable self-service API specification validation, API security testing and catalog registration.
- Establish a community of practice to build awareness and help establish shared responsibility and accountability for security throughout the API life cycle.
Akamai launches anti-phishing mirror-site detector
At RSA, Akamai launched Brand Protector, a new platform designed to thwart traffic to fake websites using stolen brand assets.
The company said Brand Protector addresses the problem of fraudulent impersonations with a four-step approach, comprising:
- Intelligence from analysis of over 600 TB of data a day, both from Akamai’s network and third-party data feeds for holistic visibility.
- Detection of brand abuse through live traffic (rather than delayed feeds and lists) tracing ideally before a phishing campaign begins.
- Single-dashboard visibility delivered in real-time with findings ranked by threat score with a confidence score, severity rating, number of affected users and a timeline of attack events.
- Mitigation capabilities through the ability to issue takedown requests of the abusive site within the user interface, attaching the detection’s evidence and supporting details for ease of use.
“The technical teams we have, innovation from our Tel Aviv office, actually allows us to see that the bad guys are actually going to the real websites to pull objects — logos and images — as the webpage is rendering. We saw traffic going to these fake websites, we saw information being pulled to create them, and end user traffic going to them,” said Chokshi.
Keep moving or sink
Choksi said that adversaries line up like “pilot fish” to spoof the websites of brands often timed around customer events. “We see customers we serve running promotions to generate traffic, and adversaries spin up phishing websites to pull that traffic. It happens all the time,” he said.
“What motivates our security teams and researchers is figuring out what the adversaries are up to today. ‘What are my signal points? How do I connect those data points and feel confident I’m onto something?’ It requires a very special talent, and conviction, and cybersecurity is one of those fields where continuous learning is very important. You have to keep moving and advancing,” he added.