a-deadly-combination-apis-and-credential-stuffingLast week, Akamai published their Q4 2017 State of the Internet / Security Report. Given the sheer volume of traffic that Akamai handles through their Content Delivery Network (CDN), they have a unique perspective on emerging patterns in Internet behavior, both good and bad.

The entire report is well-researched and elegantly put together, and two key findings jump out:

  • APIs are becoming increasingly attractive to attackers; and
  • Credential Stuffing attacks are a crucial attack vector.

APIs: The Soft Underbelly of Your Security Architecture

Exposing atomic services and roll-ups as APIs has become standard architecture as organizations continue to drive digital transformation through cross-business mashups, mobile adoption, and omnichannel harmonization. Unfortunately, as the report states, “One factor we expect to become increasingly important is bot activity targeting APIs. In many cases the safeguards organizations have in place to protect their site from attackers are not tuned to protect APIs, making them tempting targets.”

This means that the very mechanism you’re likely using as the lynchpin of your digital transformation strategy may well be the Achilles Heel that puts your firm on the cover of the Wall Street Journal, and not in a good way.

Credential Stuffing: A Big Problem Gets Bigger

The second observation is even more alarming. Credential Stuffing attacks, the use of previously breached credentials (e.g. from the LinkedIn or Yahoo attacks), are proliferating at an enormous scale.

Akamai saw 8.3 billion login attempts across the Akamai platform in November and 8.75 billion logins during December, despite a slightly shorter data collection window. Of the logins in November, a whopping 3.6 billion were determined by us to be malicious login attempts. In other words, 43% of all logins seen by Akamai were attempts to log in to an account using password guessing or account details gathered from elsewhere on the Internet.

The exposure here is further compounded by the fact that people commonly reuse the same two or three passwords across the vast majority of the sites they frequent. This makes it likely that at least some subset of your users have credentials with you that have already been breached before.

An Explosive Combination

Taken together, these two findings have devastating implications. The easy availability of a massive swath of previously-breached credentials gives attackers an evergreen stash of ammunition. And the proliferation of unprotected (or at best semi-protected) APIs gives them an easy vector through which to use that ammunition.

Organizations need to take a multilayered approach to defend against this emerging threat combination. 

Unified Defense in Depth

At Uniken, we champion the perspective that not only should you approach security with a “Defense in Depth” strategy, but also that your various security layers work together so that every layer would have to be compromised simultaneously in order to penetrate your infrastructure — a concept we refer to as Unified Defense in Depth.

As it relates to this topic, Unified Defense in Depth protects you in two ways. It cloaks your APIs so that they’re not visible to attackers and any unknown or untrusted users. At the same time, it eliminates the need for passwords and Knowledge-Based Authentication (KBA) which can be compromised elsewhere, purchased on the Dark Web, and deployed against you via a Credential Stuffing attack.

Cloak Your APIs

Uniken’s REL-ID platform renders your APIs undiscoverable and inaccessible to unknown and potentially malicious users. Our secure channel and white-listing approach significantly reduces the attack surface by ensuring that only known, trusted users and apps, from known and clean devices can even connect with you.

Only after verifying that a request is coming from a safe source is a connection even permitted to your sensitive APIs. This means that hackers that are trying to use bots to replay a broad array of passwords will never even have a chance to attempt an attack, much less have it succeed. 

Eliminate Passwords

Simultaneously, REL-ID completely eliminates the use of passwords for your customers to access your digital and traditional channels—including web, mobile, and call center-based channels. By relying on our Invisible Mutual Multi-Factor authentication that is built on foundation of individuated key pairs, app fingerprinting, device fingerprinting and strong biometric authentication, REL-ID renders user-known credentials such as passwords completely useless against you.

The Akamai report closes with this ominous prediction:

This leads us to the final prediction of this report for 2018: APIs are going to be an increasingly popular attack surface for hackers. Akamai has seen growth in this area throughout 2017, and the lack of controls and safeguards most organizations have around their APIs make them tempting targets for people who want to compromise systems without being detected.

Are you confident your defenses cover your APIs sufficiently? Or at all?

If you want to have maximum confidence that you’re protecting yourself against these emerging threats, you can learn more by downloading our “CDO Guide to Omnichannel Security.”