Deep Dive: Protecting API-Based Applications From Automated Bot Attacks

S u b b u I y e r

2

Agenda

• Deconstructing API Security Attacks

• How to Detect and Block Automated API Attacks

• Cequence Security – Product Demo

• Q&A

3

APIs Rule The World Drivers: Public Facing Apps, Microservices, Ecosystem Expansion, New Development Methods

MOBILE

WEB

APIs

DIRECT- TO-API

IOT

DATA CENTER

Shop

Login

Purchase

Check Miles

Register

Redeem Points

Find a Partner

Pay Bills

Join a Group

Share & Comment

APIs

APIs

APIs

4

Mobile Applications More Heavily Targeted in Financial Services

• More than 70% of the attack traffic across Bulletproof Proxy networks targeted mobile endpoints

• 27% of applications hard-code the API keys and private certificates in the apps or stored them in files on the file system*

• 83% of web traffic is API-based; 17% is HTML

– Smartphones & other devices represent 66% of all API traffic vs. all mobile browsers at 27%**

• Source: Aite Group report: The Devil in the Details: The Vulnerabilities in 30 Financial Services Mobile Apps ** Akamai 2019 State of the Internet Report

5

Automated Attack Components

• Tools: Code bad actors use to execute the attack

• Credentials: User information regularly refreshed via data breaches

• Infrastructure: Enable anonymous, large scale attack distribution

• Behavior: How bad actors react when discovered, blocked

Behavior

Automated Attack Components

Infrastructure

Credentials

Toolkit

6

Public Facing Applications are Attack Targets Bad Actors Leverage API Benefits of Automation, Flexibility & Ease of Use

Behavior

Automated Attack Components

Attack Infrastructure

Stolen Credentials

Attack Toolkit

DATA CENTER

MOBILE

WEB

APIs

DIRECT- TO-API

IOT

Shop

Login

Purchase

Check Miles

Register

Redeem Points

Find a Partner

Pay Bills

Join a Group

Share & Comment

APIs

APIs

APIs

7

Ramifications: Fraud and/or Theft Attacks are Highly Automated, Appear Legitimate

Business Logic API Abuse

Account Takeover

Fake Account Creation

Site Scraping

Automated Shopping Bots

Gift Card Theft

Reputation Manipulation

Denial of Inventory

Behavior

Automated Attack Components

Attack Infrastructure

Stolen Credentials

Attack Toolkit

MOBILE

APIs

DIRECT- TO-API

IOT

WEB

8

Fortune 100 Financial Services Company: Mobile API & Funds Theft Attack

mobile.acmefsi.com/login/api

Account take over attack directly against the mobile app login API

Successful account compromise

Funds transfer immediately initiated via OFX (funds transfer API)

1

Valid User

Theft

OFX API

Funds Transfer Request

API

Behavior

Automated Attack Components

Attack Infrastructure

Stolen Credentials

Attack Toolkit

2

3

1

2

3

9

Prying-Eye Vulnerability in Video Conferencing Solutions

• Webex and Zoom use numeric IDs to simplify access

– Users opt to disable, or not use security

• Automation can quickly cycle through namespace to find valid IDs

– Web form fill can be automated - APIs simplify the attack

– Mobile applications can be reverse engineered

Direct-to-API Enumeration Attack

Automated ID Enumeration

Behavior

Automated Attack Components

Attack Infrastructure

Stolen Credentials

Attack Toolkit

Join video conference 4567890123

Valid meeting ID

4567890123

Join meeting

API

www.acmevideo.com/join/1234567890 www.acmevideo.com/join/2345678901 www.acmevideo.com/join/3456789012 www.acmevideo.com/join/4567890123 www.acmevideo.com/join/5678901234 ....

1

2

3

MOBILE

WEB

10

Typical Perimeter Defense for Application Security

Fake Accounts

Credential Stuffing

Fake Likes

Denial of Inventory

Scraping

WAF CDN

Load Balancer

Infrastructure DDoS

Breach

Vulnerability Scan

Network Floods

BOT

MOBILE APPLICATIONS

API-BASED APPLICATIONS

WEB APPLICATIONS

Require JavaScript/SDK Insertion

Focus On Account Take Over (ATO) Only

Not Designed for Direct-to-API Traffic

11

So how do you stop these attacks?

12

Discover

• Public Facing Applications

• Positive Security Model

Detect

• Rogue Traffic

• Targeted Attacks

• Automation Behavior

Defend

• Block, Deceive, Rate-limit

• Enforce Positive Security Model

Three Steps For Automated Application Attack Protection

13

Four Pillars of Automated Attack Detection

INFRASTRUCTURE BEHAVIOR

CREDENTIALS TOOLS

• Browser impersonation • Body/cookie/payload heuristics

• IP addresses, Orgs/ISPs • Bulletproof/data center Proxies

• Traffic volume anomalies • Evasive tactics and morphing

• Data breaches • Username & anomaly detection

14

Inline Defense Against Automated Attacks

• Prevent Automated Attacks from hitting your Applications

– BLOCK

– DECEPTIVE HONEYTRAP

– INSERT HEADER (for downstream action)

• Detect and Remediate Affected Users impacted by Account Take Over (ATO)

• Integrate with Custom Data Lakes

15

Cequence Application Security Platform Deployment Options

• Container-based microservices architecture

• Integrates with existing networking and app server infrastructure

• Deploy anywhere: Data center, Cloud, Hybrid

PUBLIC CLOUD DATA CENTER CLOUD NATIVE

CQ Insight

CQAI

CQ Connect

CQ botDefense MOBILE APPLICATIONS

API-BASED APPLICATIONS

WEB APPLICATIONS

0 Friction to the

App Dev Process

16

About Cequence Security

• Venture-backed early stage company bringing much-needed innovation to application security

• Award-winning AI-powered security platform that automatically protects web, mobile, API-based applications from bot attacks and vulnerability exploits

• Deployed across multiple F500, social media, retail, and financial services organizations

• Visit us at www.cequence.ai

17

Demo Time!

18

Q & A