LAST UPDATED July 5, 2023
We at ThreatX are observing an uptick in multi-vector API and web application attacks, or orchestrated attacks that include several phases, leverage multiple techniques, and involve evasion tactics. Often, these multi-vector attacks serve a dual purpose: distract security’s attention while simultaneously aiming precisely at an intended target. We’ve written a couple blogs recently explaining these attacks and highlighting a few real-world examples of these attacks seen among our customer base.
In this post, we highlight what it takes to thwart these types of attacks. Protecting against a blend of techniques and evasion tactics requires a full context view, with a focus on the attackers. Defending against sophisticated attacks that span several phases requires a robust solution that is able to identify and track the attacker’s behavior over time.
Get everything you need to know about APIs and protecting them in The Definitive Guide to API Attack Protection.
Full Context View
Trying to defend against multi-vector attacks with legacy point solutions or even a platform that uses multiple point solutions is futile. If the solutions are not fully integrated, and you lack the visibility into the full context of the attack, it’s difficult to truly understand what the attackers are looking for. If your solution is trying to match specific patterns and attack types, you’ll never identify the kinds of coordinated, sophisticated attacks we’re now seeing.
For instance, a large online retailer came to us after several months of very frustrating attempts to thwart a multi-vector attack. At first, they noticed increased attack patterns, and identified a mid-grade DDoS attack. They immediately employed a stand-alone DDoS solution to try and defend their systems. At the same time, they started to notice a higher-than-usual level of login failures coming in through the web. They assumed this activity was a credential stuffing attack, and they pivoted to a bot solution to try to manage the bot-based attacks.
What they ultimately found, and what we were able to help them identify, was that the DDoS attacks were intended to distract the security team so that attackers could freely pursue the real target, the mobile APIs. The DDoS attack was being used to trigger BGP routing to bypass fraud protection for mobile APIs.
Focus on Attackers
Addressing multi-vector attacks starts by focusing on the attackers themselves. How do you identify unique characteristics of the IPs as you’re interacting with them? How do you build a digital fingerprint that encapsulates everything from the TLS fingerprint, to the ciphers, to the various attributes that may be embedded within the headers, within the payload, or even within the parameters themselves? And for each of those, can you track and monitor the commonalities across each of the users of a particular system, and even beyond that individual system? Are you seeing commonalities with associated behaviors across multiple API collections or multiple systems as well?
You can’t defend against multi-vector attacks by looking at individual requests and making binary yes or no decisions. It takes an attacker-centric approach focused on behavior.
Without this approach, you would have to identify a specific IP launching an attack, add it to a block list, or trigger an API transaction to a WAF that says to block the IP. While that can be somewhat effective, when you are facing bot-based or higher-volume attacks, there are an overwhelming amount of rapidly cycling IPs. Trying to build advanced correlations behind the scenes after the fact and then trigger a single IP block becomes nearly impossible to manage.
Learn more about how attackers are using bots against APIs in The Role of Bots in API Attacks.
IP Interrogation and Fingerprinting
Key to this approach is the ability to do IP interrogation and IP fingerprinting. But it’s also the linking of those fingerprints to repeated suspicious and malicious behaviors. With this combination, you can build a risk profile that tracks the behavior and the progression through a kill chain, identifying the point at which you have enough information to be able to block.
The Long Game
These multi-vector attacks also include various phases, over a long period of time – from reconnaissance to evasion to attack. The attacks often begin low and slow, staying below the threshold of detection. Then they’ll stop and go idle for days or weeks. Then, they’ll reappear after a month or more, probing with more precision, almost surgically. After building a dossier on their target, the attack begins.
When only looking at one point in time, it becomes impossible to identify these types of attacks. For instance, you need to detect attackers early on in the mapping phase, and then fingerprint them to track future behaviors, such as progressing to brute force techniques. When this context is maintained, you can raise or lower the overall risk score of the attacker over time, and block more accurately.
Full Picture, in Real Time
Ultimately, the key is identifying unique attacker characteristics. And it needs to be in the full context — not just what you’re seeing from a web application firewall or a DDoS solution or even a bot solution. You need the visibility to coordinate all of the information that you’re pulling from each of those components into a single platform and then correlate that data over time to identify the real attack vector and the real risk.
This approach takes an understanding of the behaviors, what’s being targeted, what techniques are being used, and the stage of the kill chain. Finally, the biggest challenge is to do this in a timely fashion so that you’re not discovering after the fact what the attackers were targeting.
Learn more about how to track attackers rather than looking for signatures in Why an Attacker-Centric Approach Is Key to API Protection.
