Hacking the cloud: why APIs are now a top threat

The Application Programming Interface (API) is now integral to many services but it’s also a key target for attackers. Jason Kent, Hacker in Residence at Cequence Security, looks at why insecure APIs are now topping threat charts.

A criminal lock on a cloud that’s stuck behind chains with a red binary background

One of the big indicators of just how effective cloud security measures are is the Cloud Security Alliance’s ‘Top Threats to Cloud Computing’. Usually released every two years, the latest one dropped a few weeks ago and perhaps the most striking development is the meteoric rise of insecure interfaces and APIs. Back in 2017, insecure APIs came in at number three but by 2019 it had fallen to seventh place in the listings. This year it was catapulted even higher to number two. So why has this happened and what does it tell us about the steps we should be taking to secure the cloud?

The ascent of the API

Firstly, our dependency on APIs has increased enormously. There’s been a shift away from a web-based application infrastructure to one based on APIs and this can be seen in the analysis of web traffic. Of the 2.1 billion transactions analysed in the second half of 2021, 70% were conducted via APIs. And it’s a trend that’s set to continue, with a recent Enterprise Strategy Group (ESG) report stating that, while 28% of web apps and websites use APIs today, this will more than double over the course of the next two years.

APIs provide developers with convenient building blocks for cloud services but they also provide access to highly sensitive data making them a prime target for attackers. The same ESG survey found almost a quarter of organisations experienced attacks on misconfigured APIs and a fifth were subjected to Account Takeover (ATO) and OWASP Top 10 attacks, respectively. The last point is particularly worrying given that 27% of those same organisations had taken steps to address the well-publicised OWASP issues.

These attacks had significant impacts. More than 40% of organisations experienced downtime, creating knock-on effects for customers, the brand and the bottom line. Negative customer experiences were reported by 34%, 34% saw shareholder value fall and 26% a loss in revenue.  There were also internal consequences, with 41% seeing employees adversely affected and 38% had to deploy additional security products or services.

Tools and techniques

This brings us on the second reason why APIs are topping the chart, as they are highly troublesome to secure. Threat attackers take advantage of the way APIs work rather than any particular exploit or vulnerability, otherwise known as a ‘Living off the Land’ (LotL) attack. As there is no signature or rule breaking involved, traditional security solutions struggle to detect this activity. Yet, despite this, many organisations are resorting to using Intrusion Prevention Systems (IPS), next gen firewalls such as WAFs, or application security tools such as bot mitigation, none of which can capture the anomalous behaviour that indicates an API is being abused.

Rather worryingly, the ESG survey found many were unaware of this fact and think these tools are up to the job. It’s this disconnect which lies at the heart of the problem and has allowed APIs to become such a prominent threat. Organisations know API security is a priority – it’s right up there along with cloud migration, securing remote working/flexible working arrangements and threat detection – but their faith in their current security tooling is misplaced, leaving them vulnerable to attack. 

A unified approach

So what can be done to more effectively address API security? To begin with, it’s important to regard API security as covering the entire lifecycle of the API. This requires a strategic approach that looks at how security is embedded from development to deployment to deletion. For example, a ‘shift left’ approach should be adopted during development to reduce the risk of coding errors.

Discovery should be carried out on a continuous basis to detect APIs and prevent them being spun-up and forgotten. This also provides the team with the opportunity to get an attacker’s eye view of publicly exposed APIs and resources. APIs should then be inventoried and tracked on an ongoing basis to and to ensure they are correctly configured and updated.

Monitoring needs to move away from the signature or rules-based processes associated with application security solutions, towards behavioural-based processing. This is far more effective at spotting suspicious or malicious activity and can detect any risky changes to the API without impinging performance or disrupting API rollout.

Finally, API security should also include active defence. APIs are frequently subjected to automated attacks which means they can be thwarted using stealth tactics. By creating attack futility, failure, and fatigue, it’s therefore possible to deter even the most relentless of attacks. Put all these elements together and the end result is a comprehensive form of unified API security that is tailored to the idiosyncrasies of the API and the cloud environment.

As API adoption continues to grow, it’s vital that we begin to tackle their security using the right tools and techniques for the job. Otherwise, in two years’ time, we could well find insecure APIs at number one on the CSA Top Threats chart.

About the author

Jason Kent is Hacker in Residence at Cequence Security. He has been ethically peering into Client Behaviour, Wireless Networks, Web Applications, APIs and Cloud Systems for over 20 years, helping organisations secure their assets and intellectual property from unauthorised access.  As a consultant he's taken hundreds of organisations through difficult compliance mine fields, ensuring their safety.  As a researcher he has found flaws in consumer IoT systems and assisted in hardening them against external attacks.  At Cequence Security Kent does research, community outreach and supports efforts in identifying Automated Attacks against Web, Mobile, and API-based Applications to keep Cequence's customers safe.