Using behavior analysis to solve API security problems
When people think about complex security challenges, airport security might be the most familiar. The scope of challenges and implications of breaches are daunting.
This is especially true when you consider the distributed nature of the airport system, with an estimated 2 million travelers entering the system daily from multiple airports across the US. All travelers present valid tickets, and each may carry multiple baggage pieces that need scanning. At the same time, the customer experience is important; there is a limit to how much latency from security checkpoints travellers will tolerate.
Interestingly, every CIO faces a similar conundrum. Within many large organizations, tens to hundreds of millions of API requests are served daily, each with valid credentials, just like those of airport passengers. Each request carries different payloads, just like each passenger’s unique set of luggage.
Similar to airports, every enterprise has a multitude of entry points, including web apps, mobile apps, and partner integrations. The CIO also should be mindful of the expectation of low latency and continuous uptime, to provide the best customer experience and remain competitive.
Like a traveler going through airport screenings, all incoming client credentials are validated for every request to enterprise systems. All payloads are scanned for XML bombs, SQL injection, mutated or nested data forms, and the like. However, just as terrorists do not carry terrorist ID cards, hackers do not sign API requests with “hacker credentials.” API requests often come in with stolen API keys, most likely presenting credentials acquired on the black market. Unfortunately due to password reuse, these black market credentials are sometimes valid.
So, turning back to airports, how do you stop seemingly valid travellers, with valid tickets and credentials, who have bad intent?
In the last few years, the US Transportation Safety Administration (TSA) has been trying to emulate Israeli airport behavior detection techniques. This is an effort to learn passenger behavior in order to pick out “bad actors” among a sea of “valid travellers.” Likewise, behavior evaluation is essential at the API tier to detect attackers who are using stolen keys and credentials to masquerade as a valid mobile apps or partner.
In this technique, rules and algorithms continuously evaluate client sessions:
- How are the clients behaving?
- What are they doing?
- Do they have repeated short sessions?
- Are there unusual error rates or repeated behaviors within certain timeframes?
- Are clients iterating through requests to harvest data or scan for weaknesses?
Just as we can use machines to identify cats in videos, we can use machines to observe the behaviors of API clients to identify suspicious behaviors—and block them. Numerous approaches to stop various malicious behaviors exist today, but a machine-based approach needs to be properly focused, trained, and tuned to be effective. Technologies and approaches that work for the network or the web do not automatically work for APIs. Hackers are smart. They realize repeated attempts to break into your systems are easy to stop, so they rotate their attempts across a large set of bots and try to “hide” in the sea that is your customer traffic.
To successfully detect bad behaviors, it is critical that a behavior detection system understands API traffic.
- What is an API key?
- What is an access token?
- What is the request context of this payload?
While the jury is still out on whether behavior detection will work for the TSA, the increasing sophistication of hackers should be be met by increasing sophistication of API security systems – namely, using algorithms to detect and stop unwanted behavior of API clients to help keep APIs safe.