Deep Dive: Protecting API-Based Applications From Automated Bot Attacks
S u b b u I y e r
2
Agenda
• Deconstructing API Security Attacks
• How to Detect and Block Automated API Attacks
• Cequence Security – Product Demo
• Q&A
3
APIs Rule The World Drivers: Public Facing Apps, Microservices, Ecosystem Expansion, New Development Methods
MOBILE
WEB
APIs
DIRECT- TO-API
IOT
DATA CENTER
Shop
Login
Purchase
Check Miles
Register
Redeem Points
Find a Partner
Pay Bills
Join a Group
Share & Comment
APIs
APIs
APIs
4
Mobile Applications More Heavily Targeted in Financial Services
• More than 70% of the attack traffic across Bulletproof Proxy networks targeted mobile endpoints
• 27% of applications hard-code the API keys and private certificates in the apps or stored them in files on the file system*
• 83% of web traffic is API-based; 17% is HTML
– Smartphones & other devices represent 66% of all API traffic vs. all mobile browsers at 27%**
• Source: Aite Group report: The Devil in the Details: The Vulnerabilities in 30 Financial Services Mobile Apps ** Akamai 2019 State of the Internet Report
5
Automated Attack Components
• Tools: Code bad actors use to execute the attack
• Credentials: User information regularly refreshed via data breaches
• Infrastructure: Enable anonymous, large scale attack distribution
• Behavior: How bad actors react when discovered, blocked
Behavior
Automated Attack Components
Infrastructure
Credentials
Toolkit
6
Public Facing Applications are Attack Targets Bad Actors Leverage API Benefits of Automation, Flexibility & Ease of Use
Behavior
Automated Attack Components
Attack Infrastructure
Stolen Credentials
Attack Toolkit
DATA CENTER
MOBILE
WEB
APIs
DIRECT- TO-API
IOT
Shop
Login
Purchase
Check Miles
Register
Redeem Points
Find a Partner
Pay Bills
Join a Group
Share & Comment
APIs
APIs
APIs
7
Ramifications: Fraud and/or Theft Attacks are Highly Automated, Appear Legitimate
Business Logic API Abuse
Account Takeover
Fake Account Creation
Site Scraping
Automated Shopping Bots
Gift Card Theft
Reputation Manipulation
Denial of Inventory
Behavior
Automated Attack Components
Attack Infrastructure
Stolen Credentials
Attack Toolkit
MOBILE
APIs
DIRECT- TO-API
IOT
WEB
8
Fortune 100 Financial Services Company: Mobile API & Funds Theft Attack
mobile.acmefsi.com/login/api
Account take over attack directly against the mobile app login API
Successful account compromise
Funds transfer immediately initiated via OFX (funds transfer API)
1
Valid User
Theft
OFX API
Funds Transfer Request
API
Behavior
Automated Attack Components
Attack Infrastructure
Stolen Credentials
Attack Toolkit
2
3
1
2
3
9
Prying-Eye Vulnerability in Video Conferencing Solutions
• Webex and Zoom use numeric IDs to simplify access
– Users opt to disable, or not use security
• Automation can quickly cycle through namespace to find valid IDs
– Web form fill can be automated - APIs simplify the attack
– Mobile applications can be reverse engineered
Direct-to-API Enumeration Attack
Automated ID Enumeration
Behavior
Automated Attack Components
Attack Infrastructure
Stolen Credentials
Attack Toolkit
Join video conference 4567890123
Valid meeting ID
4567890123
Join meeting
API
www.acmevideo.com/join/1234567890 www.acmevideo.com/join/2345678901 www.acmevideo.com/join/3456789012 www.acmevideo.com/join/4567890123 www.acmevideo.com/join/5678901234 ....
1
2
3
MOBILE
WEB
10
Typical Perimeter Defense for Application Security
Fake Accounts
Credential Stuffing
Fake Likes
Denial of Inventory
Scraping
WAF CDN
Load Balancer
Infrastructure DDoS
Breach
Vulnerability Scan
Network Floods
BOT
MOBILE APPLICATIONS
API-BASED APPLICATIONS
WEB APPLICATIONS
Require JavaScript/SDK Insertion
Focus On Account Take Over (ATO) Only
Not Designed for Direct-to-API Traffic
11
So how do you stop these attacks?
12
Discover
• Public Facing Applications
• Positive Security Model
Detect
• Rogue Traffic
• Targeted Attacks
• Automation Behavior
Defend
• Block, Deceive, Rate-limit
• Enforce Positive Security Model
Three Steps For Automated Application Attack Protection
13
Four Pillars of Automated Attack Detection
INFRASTRUCTURE BEHAVIOR
CREDENTIALS TOOLS
• Browser impersonation • Body/cookie/payload heuristics
• IP addresses, Orgs/ISPs • Bulletproof/data center Proxies
• Traffic volume anomalies • Evasive tactics and morphing
• Data breaches • Username & anomaly detection
14
Inline Defense Against Automated Attacks
• Prevent Automated Attacks from hitting your Applications
– BLOCK
– DECEPTIVE HONEYTRAP
– INSERT HEADER (for downstream action)
• Detect and Remediate Affected Users impacted by Account Take Over (ATO)
• Integrate with Custom Data Lakes
15
Cequence Application Security Platform Deployment Options
• Container-based microservices architecture
• Integrates with existing networking and app server infrastructure
• Deploy anywhere: Data center, Cloud, Hybrid
PUBLIC CLOUD DATA CENTER CLOUD NATIVE
CQ Insight
CQAI
CQ Connect
CQ botDefense MOBILE APPLICATIONS
API-BASED APPLICATIONS
WEB APPLICATIONS
0 Friction to the
App Dev Process
16
About Cequence Security
• Venture-backed early stage company bringing much-needed innovation to application security
• Award-winning AI-powered security platform that automatically protects web, mobile, API-based applications from bot attacks and vulnerability exploits
• Deployed across multiple F500, social media, retail, and financial services organizations
• Visit us at www.cequence.ai
17
Demo Time!
18
Q & A
Top Related