API Security Best Practices: Protecting Against APT Attacks
Application Program Interfaces (APIs) are a key component of building applications, as they open a communication channel that enables integration with other applications and services. Unfortunately, this open nature of APIs creates a challenge in the form of additional security risks. APIs increase the attack surface, which is why it’s crucial to apply security controls.
In this article, we’ll explain the basics of APIs, and provide you with several security practices you can apply to maximize API security.
What Is an API?
An Application Program Interface ( API) consists of a number of protocols, routines, and tools developers use to build applications and interact with another system. An API defines how different applications should interact with each other.
An API helps developers avoid writing code from scratch by standardizing instructions and commands for common operations. Developers often use APIs when designing Gaphical User Interface (GUI) components. For example, the Windows API provides elements such as windows and scroll bars for the user interface in Windows.
APIs improve collaboration between IT teams by simplifying how programmers integrate new components into existing architectures. Cloud-native applications are based on connecting microservices application architecture via APIs.
REST vs SOAP
There are two approaches for implementing APIs—SOAP and REST:
- Simple Object Access Protocol (SOAP) — is a messaging protocol formatted in XML geared to exchange information among computers. SOAP messages are usually sent using Hypertext Transfer Protocol (HTTP). The messages are compatible with different protocols and operating systems.
- Representational State Transfer (REST) — obtains data and operates on remote computer systems using Hypertext Transfer Protocol (HTTPS). It achieves secure communication by supporting Secure Sockets Layer (SSL), Machine Learning (ML), encryption, and signatures.
REST simplifies transferring data over the internet. It does it by using the JSON standard to handle the API payloads.SOAP requires requests to route in order to work on a local web service. Contrarily, REST handles HTTP requests without repackaging data.
Security Threats for APIs
APIs are often viewed as easy targets. Threat actors use the infrastructure and documentation of the API to gather information. APIs often serve as a point of the entrance from which actors can launch another attack.
Here are some examples of what threat actors can achieve when breaching an API:
- Attacks on the authentication — hackers use login systems to access the digital assets connected to the APIs. Some attackers would use brute force or credential stuffing attacks to get a foot in the door, then exploit new vulnerabilities while they work their way inside the network. This kind of attack can also be used to prevent users from logging in and disrupting service, and for gathering the information needed to launch an APT attack.
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) — this attack involves overloading the API by sending multiple requests at once. Sometimes traffic limits alone cannot prevent a service disruption. The actors increase the number of clients sending traffic at normal volumes. A solution for this could be limiting the number of requests in a given time interval.
- Phishing schemes — actors send emails or app links to an individual user. They do this to introduce malware or to trick users into divulging information or money. For example, the malicious app poses as a legitimate one, allowing the attacker to get a new token on behalf of the user. Then, the attacker can use it to extract, delete or modify data.
- Man-in-the-middle (MITM) attack — occurs when an attacker interferes with the communication between the parties involved. Attackers use MITM attacks to gain access to a user account and steal personal information, such as login or credit card data.
- API injections —this attack consists of inserting malicious code into a software program. Examples of API injections are cross-site scripting and SQL injections.
What Is an APT Attack?
An Advanced Persistent Threat (APT) is a prolonged cyber attack. The attackers gain access to a target system and remain hidden for a long period of time.
Usually, the goal of an APT is stealing sensitive data. Often attackers will use advanced attack methods such as exploiting zero-day vulnerabilities and spear phishing. Once they enter the network, they will lurk inside, monitoring and extracting data. They can rewrite malicious code to avoid been detected.
How does an APT attack work?
Attackers conducting an APT usually follow six steps:
- Access the target — attackers enter the network via the Internet, or application vulnerability, with the aim to insert malicious software into the targeted API.
- Use the access point as a foothold — the attacker use malware to conduct reconnaissance and create access tunnels to use them later.
- Spread the net — next, the attackers focus on gaining control and getting deeper into the network. They usually do it by hacking an administrator password. This allows them to move laterally, accessing other servers.
- Prepare the attack — at this stage, the attackers prepare to extract data.
- Harvest — they start extracting the targeted data and sending it to their system.
- Lurk — the attackers remain inside the network, continuing with the data extraction until detected. The attackers can also create a backdoor to come back when they want.
Some strategies to protect from APT attacks include:
- Multilayer defense strategy — including several defense layers for maintaining a strong security posture.
- Use Breach and Attack simulation - modeling attacks can detect vulnerabilities and recommend a course of action, thus improving security.
- Use threat intelligence — installing a threat intelligence solution can help you take a proactive approach to identify security threats.
API Security Best Practices
There are a number of best practices you can use to secure your API. Below, you’ll find a review of the most popular best practices, and the proper implementation steps.
Authentication and authorization
You should determine the identity of a user (authentication) and then what assets or resources the user can access (authorization). You should scan payloads and validate the API schemas to prevent attacks such as parser attacks or code injections. You can prevent attacks on endpoints by assigning a token for API calls thus validating queries.
Give secure error messages
Don’t provide authentication clues in error messages. Actors can use it to breach the system. For example, if the username is correct but the password is wrong, don’t say it in the error message. Instead, you can display this error message: ”the username/password combination does not match”.
Encrypt everything
Encryption consists of converting data into an unrecognizable form by scrambling it. To read the file, you need to use a decryption mechanism, which can be a password or a private key. This practice should be enforced with data in transit and at rest. Encrypting credentials in transit ensures that attackers cannot use them.
Implement resource quotas
You can prevent DDoS attacks by setting up traffic limits. This can help you prevent actors from overwhelming the API with traffic volume. You can set monthly quotas or bandwidth limits, such as requesting a password when trying to send a certain traffic volume.
Don’t forget to audit
Logging and conducting periodic audits can help you maintain API security. You should use inspection tools to detect attacks. This is especially helpful for securing logging sessions against log injection attacks deployed by bots.
Wrap Up
Threat actors can discover API design errors or vulnerabilities and exploit them, and then use the API to steal data or launch another attack. Failure to protect an API can result in millions of dollars in lost data, compliance fines, and reputational damages. You can prevent these disasters from happening by adhering to best practices and using API tools.
