MY TAKE: Why companies had better start taking the security pitfalls of API proliferation seriously

By Byron V. Acohido

APIs are putting business networks at an acute, unprecedented level of risk – a dynamic that has yet to be fully acknowledged by businesses.

Related: ‘SASE’ framework extends security to the network edge

That said, APIs are certain to get a lot more attention by security teams — and board members concerned about cyber risk mitigation — in 2022. This is so because a confluence of developments in 2021 has put API security in the spotlight, where it needs to be.

APIs have emerged as a go-to tool used by threat actors in the early phases of sophisticated, multi-stage network attacks. Upon gaining a toehold on a targeted device or server, attackers now quickly turn their attention to locating and manipulating available APIs.

“Threat actors have become aware that APIs represent a ton of exposed opportunity,” says Mike Spanbauer, security evangelist at Juniper Networks, a Sunnyvale, Calif.-based supplier of networking technology.

Over the past year, I’ve had several deep conversations parsing how APIs have emerged as a two-edged sword: APIs accelerate digital transformation, but they also vastly expand the attack surface of modern business networks. I’ve delved into this with Spanbauer, as well as with experts at several suppliers of advanced API security systems. Here are my key takeaways:

Manipulating APIs

A big reason why APIs haven’t gotten the attention they deserve may be that, from a security standpoint, they fall into a category of hacking tactics known as Living off the Land, or LotL. This is when intruders use pre-installed operating system tools to escape detection while executing unauthorized tasks.

LotL tactics are not terribly well understood by non-technical company decision makers; they are just one of several categories of nuanced security exposures that have long demanded more attention. Yet LotL tactics have had a profound negative impact; there are more than 100 Windows system tools designed to execute fresh code in critical systems — at the behest of any user with privileged access. And threat actors have compiled thick playbooks on how to surreptitiously gain privileged access rights and then take control of built-in network tools.

It seems to me that attackers have come to utilize APIs as, in essence, a built-in tool on steroids. The core functionality of an API is to serve as a conduit for moving data to-and-fro in our digitally transformed world. APIs are an access mechanism that come into play everywhere across the breadth of digital commerce – not just inside of Windows systems.

APIs are hubs to the paths connecting users to cool new apps, which in turn tap into virtual databases, which in turn reside in cloud-supplied IT infrastructure. What’s more, APIs are designed to help interconnect far-flung users with digital assets dispersed far and wide across a conglomeration of on-premises datacenters and multiple cloud services. Legacy security architectures just don’t fit this massively complex, highly dynamic environment.

Somehow, more attention and security processes need to be focused on APIs without blunting their usefulness. “In the past few years, threat actors have been ramping up their advanced tactics to find API weaknesses and to exploit them,” Spanbauer says. “This means that on the protection side of the equation, we need to get smarter about leveraging technology to try to help companies deal with this very complex security challenge.”

The kingpins of the top criminal hacking collectives are no dummies. For the past couple of years, while security teams have been scrambling to find their way forward, they’ve been deploying their hacking teams to exploit the rising number of APIs within their easy reach.

These kingpins realize it will take some time to for companies to effectively raise the level of API security. So they’ve kept their hacking teams busy utilizing APIs as conduits to move laterally inside breached networks, to locate valuable assets, to steal data and to embed malware.

Attack chain multiplier

Malicious API activity now routinely factors into the early phases of just about every multi-stage hack. API manipulation, for instance, was pivotal in ramping up the milestone attacks against Capital One, Solar Winds, Colonial Pipeline, Kaseya, Microsoft Exchange and scores more.


“The clever bad actors are leveraging APIs as another, albeit powerful infection vector,” Spanbauer says. “APIs come into play in the first stage of a multi-stage attack. Once the bad actor gets in that first door, via an API, they can encrypt and compress a bunch of files or detailed data to send off or look for an opportunity to further expand their compromise.”

The Microsoft hack last spring vividly illustrates how APIs have quietly become the critical link in hackers’ cyber-attack chain. In early March, Microsoft publicly acknowledged that a Chinese hacking ring, Hafnium, had been exploiting a number of zero-day vulnerabilities in Exchange Server to gain full, unfettered access inside targeted company networks. Microsoft also issued an emergency patch for Exchange Server, the venerable, on-premises email system still in wide use globally.

Then over the next few days, unpatched Exchange Servers were breached at some 30,000 U.S. organizations and 60,000 German entities. This was the handiwork of some 10 hacking rings that burst into action the moment  Microsoft issued its patch. These criminal rings swiftly reverse engineered Microsoft’s patch and then hustled to compromise as many unpatched Exchange Servers as they could reach.

Upon each successful Exchange Server compromise, the attackers next steps were to manipulate APIs to go deeper. This report compiled by security analysts at Cybereason details how one ring, the controllers of the Prometei botnet, utilized native APIs to take control of several Windows system tools. This enabled the attackers to swiftly install a cryptocurrency botnet, steal credentials and seek out other unpatched vulnerabilities to exploit.

“APIs represent a huge emerging attack vector, much bigger than people realize,” Spanbauer observes. “And because users don’t interface with APIs in the same way as they do with applications, there’s a significant visibility challenge . . .  a lot of malicious API activity happens well under the radar.”

Reversing the pendulum

The path forward seems obvious to the cybersecurity vendors I’ve discussed API exposures with over the past year. Companies simply must attain a higher level of visibility of their APIs and begin enforcing smarter security policies designed to slow down malicious manipulation of them. Security tools and frameworks need to be tuned to account for all APIs and be on high alert for any unauthorized API activity.

Observes Spanbauer: “We need to grow our capabilities to become very adept at helping organizations more rapidly and effectively deal with this complex new challenge. Knowing that something bad has happened is more difficult than ever with applications . . . This is why we need to depend more than ever on advanced analytics and visibility tools.”

The good news is that this shift is underway in earnest, though as with everything else in cybersecurity material improvement won’t happen overnight. This summer Gartner designated API security as a stand-alone pillar in its security reference architecture, not just an add-on component to other systems.

Gartner’s acknowledgement signals the birthing of new cybersecurity subspecialty – a class of vendors focused on helping company’s security-proof their APIs, both in development and as they deploy new APIs in the field.

For its part, Juniper Networks considers greater API visibility and improved real-time management of APIs to be integral strands of its larger Connected Security strategy. As a leading supplier of advanced routers, switches and network management systems, the company has assembled a comprehensive portfolio of network security services to serve as the foundation for this strategy.

At a high level, Juniper Connected Security calls for helping companies keep much closer track of key assets and get much more adept at developing and enforcing policies that improve security without detracting from user experiences. This can get done by applying machine learning more adroitly to the rivers of data flooding into and across modern company networks each day, Spanbauer says.

“As the API attack vector continues to grow, so too will the protections,” he says. “The threat actors see the potential of APIs as an attack tool and continue to grow their capabilities. We’re continuing to invest in our next generation firewall and our cloud-based security capabilities to counter that trend. And we’re committed to leveraging every tool in our arsenal to protect our customers.”

API exposures are pervasive and continue to multiply. As we start the new year, criminal hacking rings are taking full advantage. However, the pendulum is now set to reverse direction and swing in favor of more secure design and deployment of APIs. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone