Designing for Doomsday

Transcript

1. Akamai Security Summit World Tour | <Location> 1 Designing for

   API Doomsday

2. Akamai Security Summit World Tour | <Location> 2 Why Are

   We Here? Because APIs Are Everywhere. Web APIs are becoming the center of every digital experience Mobile apps run on web APIs Web sites and applications rely on APIs for core functions (ex. login) Modern, microservices-based architectures rely on APIs for communications APIs power multiple user experiences Web APIs can be required by regulators (ex. PSD2 / Open Banking in the UK) Web APIs can be very attacker friendly…. 2 API

3. Akamai Security Summit World Tour | <Location> 3 World’s Biggest

   Data Breaches & Hacks Why Are We Here? Because Data Theft Is Still Rampant. Source: https://informationisbeautiful.net

4. Akamai Security Summit World Tour | <Location> 4 Web APIs:

   High Expectations and Broad Challenges Business Speed up Innovation Improve Service Stability Drive Mobile Adoption Unlock New UX’s Improve Customer Sat. Attacker Back Door Access Data Theft / Modification Denial of Service Lower Cost to Attack Legitimate user Quota Enforcement AuthN / AuthZ Unpredicable load

5. Akamai Security Summit World Tour | <Location> 5 Let’s Have

   a Look at the Internet and See what we can Observe

6. Akamai Security Summit World Tour | <Location> 6 Growth of

   Web API Use: 2014 through 2018 54% 17% 14% 14% 6% 26% 69% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 2014 2018 Web Hits by Content Type Text / HTML Text / XML App / XML App / JSON 83% API Source: Akamai ESSL Network, SOTI Q1 2019 API calls now dominate overall web hits

7. Akamai Security Summit World Tour | <Location> 7 Things On

   The Internet Make Majority Of API Calls About 1/3rd of Web API calls come from browsers. The other 2/3rds come from mobile phones, gaming consoles, smart TVs, etc… This is a huge challenge! 66% Source: Akamai SOTI Q1 2019

8. Akamai Security Summit World Tour | <Location> 8 Web APIs

   Are A Primary Target For Attackers Today Web sites & Web APIs share the same (old) attack vectors – but APIs are often unprotected APIs are more performant and less expensive to attack compared with traditional web forms 4X more Credential Stuffing attacks on APIs 76% SQL injection 13% Local file include Code injection 6% Command injection 3% Cross-site injection 2%

9. Akamai Security Summit World Tour | <Location> 9 Let’s Examine

   Some Real World Attacks

10. Akamai Security Summit World Tour | <Location> 1 0 Why

    Are DDoS Attacks on APIs So Hard to Detect? “It’s a little more challenging to identify these kinds of automated, high-bandwidth types of attacks against an API when the whole point is everybody goes faster and gets data faster.” Source: API Security Trends for 2018 Micro Services: Unknown impact on 100s of microservices behind an API Rate Controls: API keys make it easier to identify and control legit users ü Positive Security Model: Defining legitimate requests

11. Akamai Security Summit World Tour | <Location> 1 1 Example

    #1: API Risk Exposure in Business Ecosystems Origin Response User Request SaaS Partners API requests are within limits, all apps and SaaS partners perform

12. Akamai Security Summit World Tour | <Location> 1 2 API

    Risk Exposure in Business Ecosystems DDoS attack on SaaS partner Origin not protected if only relying on partners’ security measures Origin DDoS Attack SaaS Partners

13. Akamai Security Summit World Tour | <Location> 1 3 Online

    Media Distribution Partner Ecosystem Media Company (Content Owner) authentication Content User DB SaaS Partner 1 Content Owner leverage SaaS Media Distributors 2 SaaS Partner provides content adaptation and distribution 3 Content Owner keeps User DB for authentication and authorization authentication

14. Akamai Security Summit World Tour | <Location> 1 4 Online

    Media Distribution Partner Ecosystem SaaS Partner SaaS Partner SaaS Partner Content Media Company (Content Owner) User DB AuthN / AuthZ SaaS Partners 1 A botnet is used to request videos from content distributors 2 AuthN and AuthZ requests and retries overwhelm the origin 3 All end user access to content is blocked, regardless of distributor

15. Akamai Security Summit World Tour | <Location> 1 5 Bot

    Attack Data on SAS Partner several day period Normal user traffic ~100 req/sec Peak user traffic ~500 req/sec Botnet attack! Additional ~1200 req/sec

16. Akamai Security Summit World Tour | <Location> 1 6 SaaS

    Partner SaaS Partner SaaS Partner Content Media Company (Content Owner) Gateway WAF WAF WAF Key Take-aways: o A central DB may support many partners, an attack on one may affect everyone o Risk exposure is growing in large business ecosystems Effective Security Tools: ✓ WAF ✓ Bot Management ✓ API Gateway Lessons Learned

17. Akamai Security Summit World Tour | <Location> 1 7 Credential

    Stuffing On An API Looks A Lot Like DDoS With clients that don’t render JavaScript a lot of the typical credential stuffing defenses just don’t work. Aggressive botnets will overwhelm origin with login requests 17 Source: Akamai SOTI 1Q19 28 billion credential stuffing attempts in 8 month (Observed on Akamai Intelligent Edge Platform, 2018)

18. Akamai Security Summit World Tour | <Location> 1 8 Example

    #2: What’s In Your API Response? Developers often make assumptions that systems will be used as intended…..”Only my mobile app will call my API” curl https://api.orderinput.com/v1/sku\ -u sku_4bC39lelyjwGarjt:\ -d currency=usd\ -d inventory [type]=finite\ -d inventory[quantity]=500\-d price=3\ -d product=prod_BgrChzDbl\ -d attributes[size]=medium] http 200 OK https ://success.api.orderinput.com/v1/sku -id API response includes some interesting data Simple order request to order entry APIs order_number=14586

19. Akamai Security Summit World Tour | <Location> 1 9 Example

    #2: What’s In Your API Response? It is rare for developers to consider attack scenarios, especially non- traditional ones…..”Sequential order numbers makes sense” http 200 OK https ://success.api.orderinput.com/v1/sku -id But what if I submit subsequent orders over time and various geographies? order_number=23697

20. Akamai Security Summit World Tour | <Location> 2 0 Example

    #2: But Why? Honestly - We don’t know. Same store sales data? Competition? Investor?

21. Akamai Security Summit World Tour | <Location> 2 1 Example

    #2: Lessons Learned API responses can contain valuable information Restrict access to Web APIs to authorized apps only Mitigations applied: Order number randomization Mobile app authentication

22. Akamai Security Summit World Tour | <Location> 2 2 Example

    #3: Attack on Microservices • DevOps utilizes automation via API functions in the cloud • Developers sharing code via GitHub Code Sharing GitHub IT Dev Ops Microservice Microservice API Microservice Microservice API

23. Akamai Security Summit World Tour | <Location> 2 3 How

    Would An Attacker Identify Corporate APIs? Step 1 Scanning for typical hostnames Hostnames auth. api. developer. download. IP Addresses xxx.xxx.xxx.xxxx xx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx Step 2 Reverse lookup +/- 10 IP Addresses This Photo by Unknown Author is licensed under CC BY-SA List of Hostnames to attack • Fierce is a domain discovery tool

24. Akamai Security Summit World Tour | <Location> 2 4 Gitrob

    Tool: Find & Remove Sensitive Data On GitHub • Search by organization • Flagging interesting files, like: o Private Keys o Usernames o Emails o Internal System Info Full service tool to identify the inside of corporate networks exposed to API attacks, phishing campaigns, and social engineering attacks! Source: https://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/

25. Akamai Security Summit World Tour | <Location> 2 5 Mitigating

    Attacks on Microservices • Careful code sharing • API inspection & validation • Mitigation applied: • API Gateway: Dynamically assign and easily revoke API Keys Code Sharing GitHub IT Dev Ops Microservice Microservice API Microservice Microservice API

26. Akamai Security Summit World Tour | <Location> 2 6 Develop

    An API Protection Plan Today Next week you should: Assess your API ecosystem and identify potential security risks In the first three months following this presentation you should: Understand who is accessing your APIs from where and how Define appropriate API security measures Within six months you should: Select a security solution which allows proactive API protection tailored to your organization’s needs Drive an implementation project to protect all public and private APIs 26

27. Akamai Security Summit World Tour | <Location> 2 7 Thank

    you !