How ThreatX Defends Against Multi-Vector API and Application Attacks

We at ThreatX are observing an uptick in multi-vector API and application attacks, or orchestrated attacks that include several phases, leverage multiple techniques, and involve evasion tactics. Often, these multi-vector attacks serve a dual purpose: distract security’s attention while simultaneously aiming precisely at an intended target. We’ve written a few blogs recently explaining these attacks, highlighting a few real-world examples, and outlining what it takes to thwart them. In this post, we explain how ThreatX successfully identifies and stops multi-vector attacks.  

Protecting against a blend of techniques and evasion tactics requires a full context view, with a focus on the attackers. Defending against sophisticated attacks that span several phases requires a robust solution that is able to identify and track the attacker’s behavior over time.   

How ThreatX Detects Longer Duration Attacks  

These multi-vector attacks include various phases, over a long period of time – from reconnaissance to evasion to attack. The attacks often begin low and slow, staying below the threshold of detection. Then they’ll stop and go idle for days or weeks. Then, they’ll reappear after a month or more, probing with more precision, almost surgically. After building a dossier on their target, the attack begins.   

ThreatX can defend against these long-play attacks because it extends the timeline of API and application protection by monitoring the behavior of suspicious entities over time, including attacker reconnaissance, such as scanning the application, mapping of endpoints, fuzzing techniques, and method enumeration.   

ThreatX detects suspicious activity early and then fingerprints the attacker to track future behaviors, such as progressing to brute force techniques. This allows the ThreatX platform to confidently block requests from the suspicious entity well before damage occurs to the API or application.  

ThreatX classifies risk  

The ThreatX platform thinks like a Security Analyst, and classifies all observed behaviors in terms of risk. For instance, SQL injection or cross-site scripting attacks would be blocked on the first attempt. But if ThreatX identifies a lower-risk activity, the solution raises the risk, but doesn’t block until it has clear indicators that the traffic isn’t originating from a legitimate user.   

Unlike traditional solutions, ThreatX doesn’t ignore seemingly low-risk behaviors, but rather, turns up the scrutiny, and watches them carefully.    

• Are they hitting multiple applications?    
• Are they mapping API endpoints?   
• Are they attempting BOLA attacks, or mass assignment?    

By watching requests and integrating an entity risk score over a long period of time, ThreatX is able to discover patterns of behavior that are clearly purposeful attacks. And we block those attacks before vulnerabilities are discovered, much less exploited.   

ThreatX has a long attention span  

Traditional security tools have very short attention spans when it comes to detecting threats. Legacy WAF detection logic is often limited to analyzing a single request for specific regex pattern matches. Other rules will count events over a very short time range in order to find obvious patterns such as a flood of traffic or login attempts. In either case, the analysis window is very narrow, ranging from sub-second to a minute or two.    

So what do you do if you know your adversary has a very short attention span? You slow down. And this is exactly what attackers have done. Attackers have all the time in the world, and they only need to win once in order to have a successful attack. So instead of operating on a scale of seconds, they can progressively develop an attack over days and weeks. They can patiently probe for weaknesses, test exposed functionality, and progress their attack on a timescale that is orders of magnitude longer than signature-based solutions are built to analyze.    

This means modern security tools need to have very long-term memories. Just as importantly, they need to be able to use these memories and context in real-time so that attacks can actually be prevented and not simply detected after the fact.   

ThreatX Sees What Point Solutions Don’t  

In most cases, attackers aren’t just going to attack with one exploit; they’re going to string together a series of attacks over time, often using federated and sophisticated botnets.   

The defense challenge isn’t that attackers employed some novel new evasion technique or zero-day exploit. The problem usually centers around individual security tools that can only see a portion of the overall attack.   

Countering a blended approach  

Modern attacks leverage a variety of techniques toward a common goal. Attackers are no longer one-trick ponies, but instead, pick and choose whatever techniques will help further their attack. For example, virtually all attacks will leverage some form of automation, whether that is using bots to attack application functionality, scan for exposed vulnerabilities, or any number of other actions. DDoS techniques can be used to overwhelm and distract security staff or provide cover for more sinister account take-over techniques.   

This blended approach takes advantage of the specialized and silo’ed nature of many security tools. For example, organizations may have a tool for exploits, a tool for bots, a tool for DDoS, a tool for behavioral anomalies, and so on. Even when security vendors consolidate these functions into a single product, they typically exist as multiple separate point products bundled into a single SKU. This packaging doesn’t do the hard work of synthesizing all the different perspectives into a single security context.    

ThreatX identifies, watches, and interrogates attackers, rather than only identifying signatures of attacks. We analyze IP reputation, TOR exit node status, geo IP, user agent, TLS fingerprint, and a number of behavioral attributes to identify entities and codify the risk associated with their behavior. In this way, the solution can integrate risk signals across multiple attack types, over multiple toolchain variants, over changing IPs, over long time scales. We notice everything the attacker does, even if it seems innocuous at the time. We do this while it’s happening so we can do something about it for you. Contrast that with other solutions that do the same thing, weeks or months after a breach.  

ThreatX Identifies Evasion Tactics   

Evasion techniques provide a constantly moving target that makes it almost impossible for traditional security tools to connect the dots.    

Attackers can employ massive botnets of compromised hosts, allowing their malicious actions to be distributed across many hosts or IP addresses. Or attackers can manipulate their automated attacks to change their user agents or other traits to make it hard for defenders to take action based on any one indicator.   

In addition, we often see attackers using massive request volumes as evasion. They use bots or even DDoS scale types of attacks just simply to overwhelm the security resources. It’s a diversionary tactic, or a way to anonymize themselves by interjecting the real attack somewhere inside of an overall blended attack.  

These examples are just scratching the surface of how evasion is being used today. However, it underscores why ThreatX invests so heavily in attacker-focused, risk-based blocking. These techniques allow the system to challenge, interrogate, and fingerprint attackers. This lets the platform see the actual attacking entity even as the individual hosts, IPs addresses, and other assets change.   

High Confidence, Low Hand Holding   

ThreatX not only helps you effectively defend against multi-vector attacks, it also eases the burden on your team. No more endless whack a mole – with our highly accurate risk-based blocking, plus team of security experts constantly watching and responding to threats – you get high confidence blocking with low hand-holding.