Background
Thriving in the era where everything can be an API, it is necessary to know how to quickly deliver products and services in response to customer needs for digital enterprises. Meanwhile, APIs provide access to increasingly complex applications and massive sensitive data, so they’ve become a primary target for hackers.
In recent years, many well-known international enterprises have suffered a huge blow due to negligence with API security. There has been a 681% increase in attackers in the past 12 months, and 95% of organizations have experienced API security incidents, according to the State of API Security Report Q1 2022 released by Salt Labs. However, most organizations are not prepared to deal with these challenges, with over a third (34%) having no API security strategy.
Using APIs involves the transfer of large amounts of data. Through WAF, you can secure data access by categorizing and desensitizing data, and prevent data theft by identifying data leakage and blocking abnormal access and connection.
Exceptional API Behaviors
Launch attacks without obvious features.
Abnormal access to services.
Transfer of large amounts of data.
Access from abnormal sources.
Exploit outdated or zombie APIs.
Overexpose data.
Handling API Exceptions
Detecting and investigating abnormal API access behaviors is the best way to find and fix security vulnerabilities in daily security operations. In the WAF console, you can use API Analytics and Bot Analytics to quickly identify API exceptions, so as to enable rapid closed-loop security operations Note
API Analytics is currently in beta testing and only supports 3 domain names. To use this feature, submit a ticket. Detect and investigate API abnormal access behaviors as follows:
1. Detect exceptional requests.
On the Attack Logs page, identify abnormal access behaviors in logs and track their activity. On the API Analytics page, identify abnormal APIs, check API logs and track their activity. On the Bot Analytics page, identify API access requests assigned with abnormal scores and track their activity. 2. Get the unique UUID of the abnormal access request and examine the incident scope by the UUID.
After Access Logs is enabled, each log entry has a unique UUID, which allows you to analyze and track user activity, API access logs as well as bot behaviors.
3. Identify typical user behavior anomalies.
User access behaviors are inconsistent across different APIs. For instance, it is highly likely to cause an exception to login APIs when there are too many access attempts.
4. Identify whether there are any exceptions from access.
Check whether the access source and login location is abnormal and whether the calls are made from the business side.
5. Identify whether there are any exceptions from returned content.
Check whether the accessed parameters (such as body size) are exceptional.
Check whether the returned content is exceptional.
6. Check the relevant API and user information.
Handle exceptions after identifying abnormal access behaviors, user and API information.