APIs put corporate networks at acute, unprecedented risk – a dynamic that organizations don’t yet need to fully appreciate.
Related: The ‘SASE’ framework extends security to the edge of the network
However, APIs are sure to get a lot more attention in 2022 from security teams – and board members concerned about mitigating cyber risk. This is because a coincidence of developments in 2021 put API security in the spotlight where it is needed to be.
APIs have emerged as the tool of choice for threat actors in the early stages of complex, tiered network attacks. After attacking a target device or server, attackers now quickly turn their attention to locating and manipulating available APIs.
“Threat actors have recognized that APIs are a lot of unprotected opportunities,” said Mike Spanbauer, security expert at Juniper Networks, a network technology provider based in Sunnyvale, California.
In the past year, I have had several intense conversations about how APIs have developed as a double-edged sword: APIs accelerate digital transformation, but also significantly expand the attack surface of modern corporate networks. I have dealt in depth with Spanbauer as well as with experts from various providers of advanced API security systems. Here are my key takeaways:
A big reason APIs aren’t getting the attention they deserve could be because, for security reasons, they fall into a category of hacking tactics known as Living off the Land or LotL. This is the case when intruders use preinstalled operating system tools to evade detection while performing unauthorized tasks.
LotL tactics are not particularly well understood by non-technical business decision makers; They are just one of several categories of nuanced security risks that have long required more attention. But LotL’s tactics have had a profound negative impact; There are more than 100 Windows system tools designed to execute fresh code in critical systems – at the behest of any user with privileged access. And threat actors have put together thick playbooks on how to secretly obtain privileged access rights and then take control of integrated network tools.
It seems to me that attackers are essentially using APIs as an integrated tool for steroids. The core functionality of an API is to act as a conduit for moving data back and forth in our digitally transformed world. APIs are an access mechanism that is used across the board of digital commerce – not just within Windows systems.
APIs are nodes to the paths that connect users to cool new apps, which in turn access virtual databases that are in turn located in the cloud-powered IT infrastructure. In addition, APIs are intended to help connect widely dispersed users with digital assets that are widely distributed across a conglomerate of local data centers and multiple cloud services. Legacy security architectures simply do not fit into this massively complex, highly dynamic environment.
Somehow, APIs need to be given more attention and security processes center stage without sacrificing their usefulness. “In recent years, threat actors have stepped up their advanced tactics to find API weaknesses and exploit them,” says Spanbauer. “That means we need to get smarter on the protection side of the equation to use technology to help organizations address this very complex security challenge.”
The kingpins of the top criminal hacking collectives are not dummies. As security teams have struggled to find their way forward over the past few years, they are using their hacking teams to take advantage of the growing number of APIs within their reach.
These key players know that it will be some time before organizations can effectively raise the level of API security. So, they’ve kept their hacking teams busy using APIs as channels to move sideways into attacked networks, locate valuable assets, steal data, and embed malware.
Attack Chain Multiplier
Malicious API activity is now routinely included in the early stages of almost every multi-stage hack. For example, API manipulation was critical in accelerating the milestone attacks against Capital One, Solar Winds, Colonial Pipeline, Kaseya, Microsoft Exchange, and more.
“The clever villains use APIs as another, albeit powerful, infection vector,” says Spanbauer. “APIs come into play in the first phase of a tiered attack. As soon as the villain enters that first door, he can encrypt and compress a series of files or detailed data via an API in order to send them out or to look for an opportunity to further extend his compromises. “
The Microsoft hack last spring clearly shows how APIs have quietly become a critical link in the cyber attack chain of hackers. In early March, Microsoft publicly announced that a Chinese hacking ring, Hafnium, had exploited a number of zero-day vulnerabilities in Exchange Server to gain full and unrestricted access to targeted corporate networks. Microsoft has also released an emergency patch for Exchange Server, the time-honored local email system that is still widely used around the world.
Then, in the next few days, unpatched Exchange servers were breached at around 30,000 US and 60,000 German companies. This was the work of around 10 hacking rings that went into action the moment Microsoft released its patch. These criminal rings quickly reconstructed Microsoft’s patch and then attempted to compromise as many unpatched Exchange servers as possible.
After every successful compromise of Exchange Server, the attackers’ next step has been to manipulate APIs to penetrate deeper. This report, compiled by Cybereason security analysts, describes how a ring, the controllers of the Prometei botnet, used native APIs to take control of several Windows system tools. This allowed the attackers to quickly install a cryptocurrency botnet, steal credentials, and look for other unpatched vulnerabilities in order to exploit them.
“APIs represent a huge new attack vector that is much larger than people are aware of,” observes Spanbauer. “And since users don’t interact with APIs in the same way they interact with applications, there is a significant visibility challenge. . . A lot of malicious API activity happens well under the radar. “
Reversal of the pendulum
The way forward seems obvious to the cybersecurity vendors I spoke to over the last year about API exposures. Organizations just need to be more transparent about their APIs and start enforcing smarter security policies designed to slow down malicious tampering. Security tools and frameworks need to be fine-tuned to take into account all APIs and be on the highest alert for any unauthorized API activity.
Spanbauer remarks: “We need to develop our skills in order to support organizations faster and more effectively in mastering this complex new challenge. Knowing something bad has happened is harder than ever with applications. . . For this reason, more than ever, we have to rely on advanced analysis and visibility tools. “
The good news is that this shift is in earnest, even though, like anything else in cybersecurity, the improvement in material won’t happen overnight. This summer Gartner identified API security as a separate pillar in its security reference architecture and not just as an add-on component for other systems.
The Gartner recognition heralds the birth of a new sub-specialty in cybersecurity – a class of vendors focused on helping companies validate their APIs, both as they develop and deploy new APIs in the field.
For its part, Juniper Networks sees greater API visibility and improved real-time management of APIs as an integral part of its broader Connected Security strategy. As a leading provider of advanced routers, switches and network management systems, the company has put together a comprehensive portfolio of network security services to serve as the foundation for this strategy.
At a high level, Juniper Connected Security is calling for organizations to keep track of critical assets much more closely and become much more adept at developing and enforcing policies that improve security without compromising the user experience. This can be achieved by more skillfully applying machine learning to the data streams that flood into and through modern corporate networks every day, says Spanbauer.
“As the API attack vector increases, so does the protection,” he says. “The threat actors see the potential of APIs as an attack tool and continue to develop their capabilities. We continue to invest in our next generation firewall and cloud-based security features to counter this trend. And we strive to use every tool in our arsenal to protect our customers. “
API exposures are ubiquitous and keep increasing. At the beginning of the new year, criminal hacking rings are taking full advantage of their advantages. However, the pendulum will now reverse direction and swing in favor of safer design and use of APIs. I will continue to observe and report.
Pulitzer Prize-winning business journalist Byron V. Acohido aims to raise public awareness of how to make the Internet as private and secure as it should be.
(LW offers advisory services to the providers we cover.)
*** This is a syndicated blog from The Last Watchdog’s Security Bloggers Network, written by bacohido. Read the original article at: https://www.lastwatchdog.com/my-take-why-companies-had-better-start-taking-the-security-pitfalls-of-api-proliferation-serious/