Gene Fay is CEO of ThreatX, a leading API protection platform.
getty
The past few years have witnessed an explosion in cyberattacks, driven by a perfect storm that has been steadily brewing within the threat landscape. And it’s only going to get worse. I believe there are three “enablers” that have caused the increase in cyberattacks, many of which have made it easier for threat actors to commit their crimes. These include the following:
1. Through the use of cryptocurrencies such as bitcoin, non-traceable transactions have helped to grow cybercriminals’ enterprises. Particularly, these transactions have powered the business model of ransomware as a service. A great example of this business model is the 2021 T-Mobile data breach, which saw attackers use stolen customer data as a way to receive $200,000 in bitcoin from T-Mobile. Despite receiving this payment in exchange for deleting the data, the attackers ended up selling the data on the dark web anyway.
2. Attack surfaces have grown exponentially over the years. We know that web apps and internet-enabled applications run the internet, and their use only increased as many organizations expanded their digital presences due to the pandemic. Another driver behind these attack surfaces is the rise of second- and third-party APIs that many enterprises rely upon. As these attack surfaces grow, so does the difficulty of defending them against the threats they face.
3. As DevOps transitions increase, so do threat actors’ capabilities. As enterprises continually “move at the speed of DevOps” and build faster than ever before, so do the bad guys. As teams automate much of their work, so do threat actors. It is important to note that, in many ways, cybercriminals have the same capabilities as DevOps teams. As security teams build defensive solutions, threat actors are working on ways to counteract them.
These enablers are part of a larger trend in cybersecurity in which there is a continuous cat-and-mouse game between attackers and defenders. It is imperative that we do not underestimate the capabilities of threat actors. They are smart and willing to go to great lengths to achieve their goals. It is also important to note, however, that threat actors will often go the route of least resistance. This means that the harder you make it for an attacker, the more likely they will go elsewhere.
Attackers have proven that enterprises need to look past traditional protection solutions. In particular, security teams need to be vigilant and look to protect against known vulnerabilities while also discovering unknown vulnerabilities. Many of these unknown vulnerabilities have manifested themselves in zero-day exploits, like 2021’s Log4j and the more recent Spring4Shell.
Low And Slow Is The Name Of The Game
Regardless of the outcome, you can never accuse threat actors of not doing their homework. Attackers spend time mining for weak points and actively work to understand where tripwires are and what level of reconnaissance and probing they can do without hitting that tripwire. These low-and-slow attacks demonstrate the sophistication many threat actors have, as well as their strategic mindset. They are willing to play the long game for a big payoff.
In order to gain access, threat actors can use legitimate login credentials they bought off the dark web and try any number of combinations for usernames and passwords, so on the surface, it appears that Grandma is trying to log in and forgot her password. This won’t draw anyone’s attention.
Threat actors also cycle through IP addresses and user agents (e.g., Chrome or Safari) to hide in legitimate traffic. This helps them stay below any threshold that a traditional bot mitigation solution might pick up.
Living Off The Land
All it takes is one small toe hold, and attackers can breach a defense. Once inside, these threat actors “live off the land” within a system and methodically probe to see what other information they can get and potentially use that knowledge to gain access to other sites. Part of their intelligence gathering process includes mapping the network and examining traffic. This can take time, anywhere from days and weeks to months and years.
Once threat actors have a good understanding of the attack surface, including a map of the site, they may finally strike. These attacks could include any number of attack patterns, like brute force or DDoS, in order to exfiltrate data to sell on the dark web or hold it hostage for a ransomware attempt.
Protecting APIs Against Modern Threats
While there is a multitude of threats that need to be mitigated, the good news is that there are steps security teams can take to build a land bridge off the island. I recommend that in order to best protect expanding attack surfaces, enterprises should utilize a defense in depth strategy that is both well constructed and well defended.
Well-constructed defense starts at the foundational level. That means every shop building software should have a scrutinized application security process, including testing in depth and vulnerability scanning. Additionally, there should be regularly scheduled penetration testing on an annual or semiannual basis to find vulnerabilities.
Well-defended security means that teams are not only identifying vulnerabilities but also being proactive to both identify and mitigate attacks. The ability to uncover and track suspicious behavior over time is the key to a good defense when it comes to your APIs. This will empower security teams to gain a comprehensive view of their attack surface to learn how to best protect it.
Additionally, there are many managed service providers that can help enterprises with defending their attack surfaces. Due to the talent shortage, there aren’t enough security professionals to go around. Because of this, many security professionals choose to work for security-focused providers as it gives them the career advancement and experience they need for growth. This is to the advantage of enterprises that choose to partner with managed service providers.
A defense is only as strong as its weakest link, which, in 2022, is signature-based detection. It is time to kick these traditional solutions to the curb. Modern threats require more contemporary solutions and expertise to defend against multifaceted and mixed-mode attacks.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
