Application and API Attack Protection – Common Topics We’re Asked About

This article is the third in a series of five covering key API security topics and provides some answers to common questions we often get when talking to potential customers. The series will cover the following topics:

• API Discovery
• API Posture Management
• Attack Protection
• API Security Testing
• Attack Detection and Threat Hunting

API security needs are specific to individual organizations and their particular market or industry, and the Cequence Unified API Protection platform was developed with that in mind – it’s highly flexible, customizable, and built to grow with your business.

This article focuses on application and API attack protection, which is a foundational component of the Cequence Unified API Protection platform. Cequence’s inline or passive deployment options offer the ability to detect attacks and either mitigate natively (in the case of inline deployment) or pass the attacker identifiers off to a third party, such as a WAF, for mitigation (in the case of passive deployment). Mitigation options include logging, rate limiting, deception, and blocking. The following are some common requirements that we’ve heard voiced by potential customers:

Detect And Block Newly-Identified CVEs

Cequence can detect and mitigate newly-identified CVEs, natively, and in real time. Mitigation options are user-configurable and include logging, rate limiting, deception, and blocking. Other vendors that rely on a data lake for attack identification and analysis are necessarily delayed in these objectives. Once their out-of-band analysis is complete, they require a third-party solution (such as a WAF) to perform the blocking. Inherent WAF limitations such as their inability to block high-volume attacks and their dependence on easily-changed and easily-spoofed IP addresses make them a suboptimal choice for API security.

Detection Of Low & Slow (Long-Lived, Hidden) Attacks

Cequence was designed from inception to identify and block “low and slow” attacks in real time, which are low volume attacks carried out over a longer period of time and at lower volume than standard attacks in hopes of avoiding detection. Cequence’s behavioral fingerprinting analyzes unique combinations of characteristics such as tools, infrastructure, and credentials to identify and track attacks, no matter their speed. Cequence’s inline detection and native blocking capabilities enable instant, real-time response, unlike vendors that rely on a data lake and delayed analysis.

Automatically Track the Threat Level Of Each User

Cequence can automatically identify threat actors by various attributes – usernames, sessions, fingerprints, IP addresses, and customer fields. These fields can be keyed on and pivoted as needed to track and report on threat actors and determine the threat or risk level. Cequence also has a capability called Attack Feature Detection (AFD) that automatically, in real time, identifies attacks and develops a mitigation policy with no human intervention. All that’s left is for the Cequence customer to review the policy and enact it in order to block the attacks immediately. Other vendors typically track a single attribute such as username or IP address, lacking the ability to identify attacks in real time (due to reliance on data lakes) or automatically craft mitigation policies.

Pre-Attack Threat Actor Identification

Cequence can identify threat actors before an attack occurs through various attributes – usernames, sessions, fingerprints, IP addresses, and customer fields. Known attackers will be identified and tracked, and any attempted attacks will be prevented. Additionally, Cequence can determine that a session originated from a malicious IP. Other vendors can only identify based on a single criterion such as username, severely limiting the attackers that can be identified either prior to, during, or after an attack. Some vendors are unable to determine that attacks originate from malicious IPs.

Identify Active Data Exfiltration Per API, Services, Users

Cequence can identify active data exfiltration per API, per service, and per user by keying on various attributes such as usernames, sessions, fingerprints, IP addresses, and even custom fields. Custom fields designated by the customer such as credit cards numbers, IMEI, or SSN can be used to identify sensitive data transacted by APIs. Other vendors that rely on a data lake for attack identification and analysis are necessarily delayed in these objectives. Once their out-of-band analysis is complete, they require a third-party solution (such as a WAF) to perform the blocking. WAFs inherent limitations such as their inability to block high-volume attacks and being dependent on easily-changed and easily-spoofed IP addresses make them a suboptimal choice for API security.

Enforce Blocking By Direct Call To 3rd-Party Control Points

Cequence is the only API security vendor with native blocking capabilities that does not require a third-party product, such as a WAF, to enact blocking. Cequence offers several mitigation options including logging, rate limiting, deception, and blocking. Cequence also can take advantage of existing third-party products, such as WAFs or API gateways, for additional mitigation options if desired. Other vendors that do not perform native mitigation and blocking and instead rely on third-party products face inherent limitations such as the inability to block high-volume attacks and dependence on easily-changed and easily-spoofed IP addresses, making them a suboptimal choice for API security.

Session Integrity Validation

Cequence includes Session Stitching, which tracks a user’s session throughout their journey within the customer’s API and application infrastructure. Example sessions include a user interacting with their bank account or a user in a purchase sequence. Other vendors require each application to be instrumented in order to track user journeys. Since all applications cannot be instrumented, such as those that do not support JavaScript or mobile SDKs, user journey tracking from these vendors will be incomplete.

ML-Based Multi-Dimensional and Temporal Fraud Detection

Cequence uses machine learning algorithms to identify, correlate, and track threat actors and their activity despite their use of evasive tactics and retooling. Hundreds of out of the box rules and ML models, additional customer-specific rules, and the ability to incorporate customer models through its open system ensure comprehensive detection. Cequence’s network-based deployment enables it to see all API traffic, and its behavioral fingerprinting capability enables it to detect malicious behavior – even if it appears legitimate – by analyzing multiple criteria. Other vendors that only use a data lake for attack identification and analysis are necessarily delayed in these objectives.

Agent-Based (Language-Specific, In-Line)

It is a well-known fact, that security teams and developers alike, hate agents on their pristine revenue-generating applications. Cequence has no need to deploy or integrate agents. Cequence deploys at the network level, ensuring the greatest possible coverage of API and application traffic, unlike other solutions which require each application to be instrumented. Instrumenting each application is a significant hurdle – not only from the initial integration effort, but also from an ongoing maintenance standpoint. Every time the agent or the application is updated there’s more potential for conflict, so additional testing/QA must be done. Additionally, many applications cannot be instrumented due to language or proxy dependencies. Cequence can be deployed inline or passively, making it easy to get started and prove its effectiveness, and is language and proxy independent.

Some of the other areas of attack protection where Cequence excels:

There are certainly other facets of application and API attack protection, but these are some of the topics we hear about most frequently. Check out the other articles in this series, or our eBook, “Ten Things Your API Security Solution Must Do.”