LAST UPDATED February 21, 2023
As attackers become more sophisticated, there has been a unique API attack evolution. Attackers are moving beyond the traditional attacks that you’ve seen in the past, and starting to get creative by combining complex, bot-based attacks with a blend of techniques. Attackers are targeting APIs with multi-vector attacks, or orchestrated attacks that include several phases, leverage multiple techniques, and involve evasion tactics. Often, these multi-vector attacks serve a dual purpose: distract security while simultaneous aiming precisely at an intended target.
Get background on why APIs are now targets, how attackers are targeting them, and how to defend them in The Definitive Guide to API Attack Protection.
For example, at ThreatX, we see API attackers leveraging various botnets for discovery, overloading systems with DDoS as a distraction, all while interweaving various discovery and exploitation attempts among the noise. In the reconnaissance phase, we often see attackers using botnets of thousands of rotating IP addresses to probe and discover vulnerable APIs. With vast numbers of IPs, they are free to carry out their discovery efforts while blending in with legitimate traffic. When they identify a vulnerability, they will use the botnets to overwhelm the security team with alerts while they use various techniques to exploit the vulnerability.
Traditional Solutions vs. Multi-Vector Attacks
This new attack pattern exceeds the capabilities of traditional security solutions like legacy web application firewalls (WAFs), as well as stand-alone API observability, bot management, or DDoS solutions. Modern API attackers are a step ahead of old-school WAFs. They know where the tripwires and detection thresholds are for DDOS mitigation and bot detection solutions. In addition, with little to no visibility across attacks, these solutions struggle to identify these drawn-out, multi-vector attacks. Traditional security tools will fail to see the context and connections between all of these interrelated events. What was once a winning defense strategy, tooling designed to block a single variant of an automated attack just doesn’t cut it anymore.
Inside a Multi-Vector API Attack
Increasingly, our threat hunters observe highly sophisticated, multi-vector attacks that penetrate defenses by staying just below detection thresholds. Then they morph. Then they move one more step. Then they morph again. Each elusive step applies different tricks to slip between the cracks in a defense perimeter designed for a different scale of attack.
In most cases, the problem isn’t that attackers employed some novel evasion technique or zero-day exploit. The problem usually centers around individual security tools that can only see a portion of the overall attack.
For example, we recently partnered with a global organization that creates video games. This gaming company faced an attacker that, leveraging a botnet, identified a new video game being developed in a staging area. The attacker then used the botnet to explore the product undetected, ultimately identifying vulnerabilities in its APIs.
Months later, when the game was released, the attacker came back, deploying a large account takeover attack. We frequently see this attack pattern. Attackers use bots to carry out DDoS-scale attacks in order to shift the security team’s focus to a particular incident while they carry out the real attack undetected.
Learn more about the types of DDoS attacks we are seeing in our recent Live Q&A: The Evolution to Record-Breaking DDoS.
While the security organization was responding to what they thought was a brute force and an account takeover attack, there was actually a much lower and slower exploitation attempt happening, which was targeting the vulnerable APIs discovered during the earlier reconnaissance phase. The attackers were rotating their tactics and techniques, trying to obscure the fact that the real goal was to exploit the vulnerable authentication APIs.
This attack and others reveal a new sophistication level in terms of multi-step automation in these long-term attacks. Attackers will automate one set of steps using one set of IPs to conduct the initial discovery scanning, where they will look for vulnerable endpoints. Then as they continue to escalate, they shift to a different set of IPs for the next step, and then onto another set of IPs for the final exploitation steps or various command and control type of activities.
How ThreatX Helps Address Multi-Vector Attacks
ThreatX was built to handle this new world. Our goal isn’t to simply check all the individual feature boxes. Our goal is to bring all of the best detection strategies together into a single defense posture that notices these shifting attack vectors, sees them for what they are, and stops attacks that pretty much everybody else in the industry is missing.
Other solutions never accumulate enough visibility to see the entire risk landscape and protect customer assets. ThreatX integrates risk severity across multiple attack types, over multiple toolchain variants, over changing IPs, and over the duration. We notice everything the attacker does, even if it seems innocuous at the time.
In the case of the gaming company above, even though the attackers were using anonymizers and rotating the IPs’ user agent information and other key characteristics, we were able to identify TLS signatures and IP fingerprints, and then correlate all the data we were gathering. We ended up tracking up to 14 different elements of the IP fingerprint, allowing us to recognize the deployment of additional anonymizing techniques. In turn, we were able to identify both the diversionary tactic, plus the behaviors targeting the vulnerable APIs. Ultimately, we tracked, correlated, and then immediately blocked, and as the attackers rotated through more IPs, those IPs were also blocked.
Get more details on multi-vector API attacks in our new whitepaper, Why an Attacker-Centric Approach Is Key to API Protection.