Data Matters — Empowering Threat Hunters to Reduce API Risk

Seeing the complete picture

One of the obvious benefits of a data-rich API approach is that your threat hunters will be able to see a more complete picture of your API threat landscape, even if abuse and other malicious activity unfold over weeks or months. 

Collecting API activity data from all available sources and bringing it into a normalized, scalable data lake helps threat hunters zero in on specific instances of suspicious activity and then zoom out to find similar instances across different API assets and over time.

Finding stories and characters in your API data

Of course, just amassing large amounts of API raw data doesn’t provide much more value for threat hunters — after all, they’ve always had the option to comb through logs. Raw API log data is too cryptic and voluminous for a human threat hunter to analyze strategically. It’s the proverbial haystack.

The way to overcome this is by enriching the data with additional context that turns otherwise disconnected data points into stories. The most impactful way to do this is to identify the characters in these stories. At Akamai, we call these “entities.”

Specifically, we look for two distinct types of entities in API data:

• Actor entities: These are the participants in your API activity, such as partners, merchants, aggregators, users, tokens, IP addresses, and so on.

• Business process entities: These are the entities that represent the business activities that your organization uses APIs to perform, such as accounts, transactions, invoices, payments, etc.

Once you can turn raw data about API activities into meaningful stories about how these characters interact, it becomes possible, using modern behavioral analytics techniques, to see how these stories usually play out — and to spot instances when something abnormal occurs.

These anomalies are the cues your threat hunters need to focus their efforts in the right areas.

How one API event can have multiple meanings

Here’s a simple example of how identical API transactions can mean very different things depending on the context. Suppose that one of the capabilities offered to your customers through an API is the ability to retrieve a copy of their invoice.

In this scenario, an authenticated API request to retrieve an invoice would not be considered out of the ordinary. You certainly wouldn’t have a detection rule to alert you when this happens, and an instance of it in a log file likely wouldn’t catch the attention of a threat hunter. It’s a legitimate and routine operation.

But what if that same customer closely studies the structure of this API request and notices that one of the parameters is an invoice ID? Then, they might try to substitute other values for the invoice ID and find that they can retrieve other customers’ invoices by doing so, improving their negotiating power as a result. 

If they continue this process repeatedly, the same API transaction that is accepted as normal — an authenticated entity retrieving an invoice — could actually represent a critical data breach for your organization.

This is where the power of context comes into play. With a data-rich approach enriched by more detail about the stories and characters in your API data, a threat actor would see much more than a routine authenticated API query. They would see an actor entity interacting with a business entity in an abnormal way.

Replaying stories and jumping to the exciting parts

Sometimes while you’re watching a TV show or movie, you zero-in on an attribute, such as an actor, a song, or a memorable scene, and use it as a jumping off point to learn more, like searching for other movies that include an actor who catches your attention.

A data-rich API security approach works similarly. Let’s revisit our invoice enumeration example: Once your threat hunter sees an anomaly, they can use this information as a jumping off point to conduct a broader investigation:

• What else has that same threat actor been doing with your APIs over the past 30 days? 

• Are there other actor entities interacting with that same invoicing business entity in unintended ways? 

Your threat hunters are empowered to use information to form hypotheses about API threats and then move up and down and forward and backward through your API data to investigate thoroughly. 

This turns threat hunting from a potential resource drain with unclear impact to a highly focused, efficient, and effective component of your overall security model.

Kick-start your API threat hunting program

Akamai API Security is a 100% software as a service (SaaS)–based solution that applies extended detection and response (XDR) concepts to your API estate. It can be deployed alongside Akamai App & API Protector or on a stand-alone basis to:

• Continuously discover APIs in your environment

• Maintain a data-rich, 30-day view of all your API activity

• Identify and map relationships among entities involved in your API usage

• Use sophisticated behavioral analytics to establish baseline normal API usage and detect anomalies

• Provide detailed insights and recommendations in response to detected threats

• Automate seamlessly with your security operations and IT stack to streamline incident response and threat hunting

DIY or leave it to us

You can use Akamai API Security to empower your in-house threat hunters to work more efficiently and effectively. Or you can leave the heavy lifting to us by engaging Akamai API Security ShadowHunt, our managed API threat hunting service.

Learn more 

In case you missed the news in the previous post: We are introducing a monthly technical webinar series, If Your APIs Could Talk. Our first webinar covers the importance of storing data as part of your API security strategy.