API Security

Why Is the Trend of API Attacks Still Increasing?

Tom McNamara

July 8, 2023

Rising API attacks suggest API Security Solutions are not effective against modern attackers.

For several years API attack statistics continue to rise at an alarming rate. At the same time there have been many API Management and API Security vendors that have introduced new solutions that promise to solve the problem. That begs the question: with so many API security solutions, why are API attack statistics still so high?

Gartner describes API Security as covering two main categories: API Threat Protection and API Access Control. The API Security market is crowded with solutions, but judging from the attack statistics, few seem to be effective. Some of them focus on content validation (coding practices and business logic to create better APIs and reduce vulnerabilities (always a good thing). Others focus on threat detection and traffic throttling, such as application firewalls, API gateways and API management. They inspect sources of traffic, prevent bot and denial of service attacks, and filter known threat sources. Some also examine the messages en route to API endpoints to detect anomalous behavior or malicious code. The inspection and scanning tools often involve machine learning (ML) or artificial intelligence (AI) and have a false-positive and false-alarm rate (they aren’t 100% successful and may filter legitimate traffic). 

A Topology View of Threats to APIs

The figure below shows a notional enterprise cloud network topology (black and gray) overlaid with common threat vectors (red boxes).

Topology of cloud network and API threats

While the popular API Security solutions may offer some protective capability to certain attack vectors (e.g., content validation negates the use of hard-coded API keys, improper API structure, and untested APIs), they are not making a dent in the volume of API attacks and they are not preventing attacks because the security is not applied where it is most needed

Three Strategic Cybersecurity Principles

There are three strategic principles that every CISO and Security Architect should consider when working with APIs:

  1. Place API protection at the API endpoint, 
  2. Add Automated Moving Target Defense (AMTD), and
  3. Verify workload trust before sharing data.

These three principles will prevent attacks and losses. Here’s why.  Any threat attacking an API must eventually reach the API endpoint. They have to gain access to the API for a successful attack. So it makes sense to put the strategic line of defense at this location. And apps and data also meet at the API. Protection at that point in an architecture is effective for apps and data. 

Next comes the question of how to defend API endpoints. What kind of defense should be used? Traditionally, the answer has been authentication. But we know from attack statistics that even authenticated APIs are leaking sensitive data to threat actors. The biggest reason for this is the vulnerability caused by static API credentials. Static credentials (and those that rotate infrequently)can be discovered or “sniffed” in transit and misused. 

High Frequency Credential Rotation

The obvious solution here is to rotate credentials at a high frequency - so frequent that any discovery is too late for their misuse by a threat actor. This is the essence of Hopr’s AMTD. Hopr’s AMTD performs API threat protection and API access control in a single solution. It is a  remarkably simple and effective defense because it doesn’t rely on specific knowledge about the threat actor or their methods. It moves the target (credentials) so quickly that any threat is unable to plan for the defense they will confront at the defensive perimeter of the API. AMTD deprives threat actors of the knowledge they need to launch their attack on an API endpoint.

To prevent attacks on the API endpoints at workloads that operate in the cloud, two credentials must be rotated (the identity and secret credentials) at the API. In traditional API security solutions, these credentials are products of PKI and TLS. PKI forms the basis of workload identity, and TLS (or mTLS) forms an encryption key to protect the message between APIs and their clients. Another form of identity is the API key that a client must present to an API so that it can associate the client with data access permissions. However, it is the PKI identity certificate that is the concern for API attacks. Developers will often use a “self-signed” certificate without an expiration date, but they shouldn’t be used for production, and this is overlooked too often. But PKI certificates have another problem. The chain of trust is passed from certificate authority (CA) to CA and automation of certificate production or replacement is focused on speed and not trust. To meet zero trust principles, workloads need an identity credential whose chain of trust is with the workload, and the trust can be verified.

Frequent Workload Trust Verification

Hopr’s AMTD creates a machine alias ID (MAID) credential and rotates it frequently. The MAID is formed when a trusted DevOps engineer first registers a workload with Hopr. From that moment on, Hopr monitors the sessions of the workload and the MAID rotations and verifies trust in the MAID each time a workload begins a new communication session. Hopr’s AMTD preserves a chain of trust in the workload identity.

In addition to a novel rotating identity credential, Hopr’s AMTD has a novel use for the rotating secret credential. Instead of passing it to other workloads for classic authentication, the rotating secret is used as an encryption key and it encrypts and decrypts messages to/from other trusted workloads. The engine of the AMTD is Hopr’s Codes Hidden In Plain Sight (CHIPS) technology and protocol. It enables workloads to build identical keys and construct on-demand end-to-end-encrypted (E2EE) communication channels without a key exchange. The successful decryption of a message verifies the identity of the sender since only that sender could have produced the identical key.

The high frequency rotation of both Hopr AMTD credentials plus the E2EE communication channel protects APIs and data at the endpoints and over the entire route between them. The figure below depicts the same topology presented earlier, but with the addition of Hopr’s AMTD as an API security solution (the blue line and ‘h’ logos). Many more API threat vectors are negated (light red boxes) with the AMTD solution applied at the workloads and API endpoints.

Topology of cloud network after Hopr AMTD is used

The advantages of using AMTD for API security include:

  1. Blocking all untrusted and malicious traffic before it reaches the API endpoint. Only decrypted messages are seen by the API,
  2. Both client and server workloads are protected (not just the API),
  3. Trust in the client and server is verified at every communication session,
  4. Data remains confidential and tamper-proof over the entire route between the client and the API endpoint,
  5. A wide range of Man-in-the-Middle (MITM) attacks are negated.

It’s our hope that with this new form of AMTD the rising trend of API attacks can be reversed, less data will be leaked or stolen by threat actors, and workload trust verification in any cloud will become a standard and expected practice in cloud business services.

Keep Reading

A Looming Crisis

As the Internet and cloud explode with new IoT devices, automation, and wireless connectivity, we face a looming financial crises from accelerating cybercrime. APIs, by definition, are machine-to-machine transactions, and those that are public-facing are particularly at risk of attack. A new cyber defense for these API endpoints has arrived.

Author Avatar
Tom McNamara

November 6, 2023

Small, Fast-moving Targets

Containerized workloads are the basic building blocks of modern day applications and services. And Application Programming Interfaces (APIs) are the code that stitches the workloads together to build a scalable application or business process. They are attractive targets for sophisticated adversaries that have time and skill to bypass traditional perimeter defenses and gain access to enterprise resources such as workloads, then they can easily move laterally and attack APIs. A moving-target defense (MTD) is a great strategy for protecting sensitive workloads and data. This article describes three components of an MTD for containerized workloads and data.

Author Avatar
Tom McNamara

July 8, 2023

A Moving Target Defense for the Cloud

Moving business services to the cloud offers enterprises significant benefits, but it include some big risks and challenges for security and data privacy, too. The marketplace offers many solutions for protecting business systems and data, but many of them were built before the cloud when the systems and data were on-premises. Data on cyber attacks to the software supply chain and APIs indicates that traditional solutions aren't performing too well in the Cloud. A "lift-and-shift" approach to digital transformation won't work and may be very costly. Operating in the cloud requires new thinking about security and a moving target defense is a great "cloud-native" security strategy to consider.

Author Avatar
Tom McNamara

July 8, 2023

Four Dilemmas of Keeping Secrets

Secrets are essential to security in cloud operations. Digital Transformation, new cloud and software architectures, and new technologies such as docker and kubernetes are producing an explosion of secrets and APIs. The secrets and APIs are a popular vulnerability path for data theft. The conventional options to manage secrets for humans and monolithic apps in a data center cannot meet the scale, reach, speed, and protection needed in the cloud. In fact, they create four dilemmas for enterprise security and risk professionals: Secrets Chaining, Secrets Leakage, Machine Secrets, and Secrets Injection. In addition to describing the how and why behind each of these secrets dilemmas, the article also presents three principles to solve all four dilemmas with a single innovative approach.

Author Avatar
Tom McNamara

July 8, 2023

Vanishing Secrets

Not all secrets need persistence and storage. There are times when encryption secrets can be ephemeral. It's been estimated that 80% of Internet traffic is due to APIs, and nearly every API requires a secret to prove identity and establish trust of the machine making a request. These secrets should be vaulted if they're static. But this requires yet another API and more secrets. We think ephemeral secrets are a better choice for APIs and we invented a novel approach to create secrets that vanish and don't need to be stored.

Author Avatar
Tom McNamara

July 8, 2023

Subscribe to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Use CasesHow It WorksUnique FeaturesHopr ConnectHopr Connect GatewayPricingContact usSecurityWeb Retriever OSSAboutPrivacy policiesTerms of service
Hopr enables on-demand, verified-trust, ultra-secure application networking across clouds, organizations, and ecosystems.

Our patented technology and  protocols form Cloud Native Automated Moving Target Defense (AMTD) around workloads, API endpoints, and data in transit.

Hopr's AMTD disrupts threat actors and proactively prevents cyber attacks to increase cyber resilience.
copyright 2021-2023 | Hopr Corporation
CHIPS™, MAID™, and SEE™ are trademarks of Hopr Corporation
CHIPS™ technology the MAID and SEE™ protocols
are protected by US Patents and patents pending.