PingIntelligence for APIs: AI-powered API Cybersecurity

Read Time: 16 minutes

Overview

PingIntelligence for APIs is an award-winning software solution that provides deep visibility into API traffic, discovers APIs automatically, provides AI-powered automated API attack detection and blocking, and uses decoy/honeypot environments to identify hacking in real time.

Attacks on API services can come from outsiders, such as hackers and bots, or from insiders. Sometimes the hacker looks like an insider, and attacks may be malicious or not. For example, a system malfunction may affect another system via its API through what is known as friendly fire.

There are many different types of attacks to defend against, and PingIntelligence for APIs can detect them regardless of origin or intent. PingIntelligence works by inspecting API traffic between every device and the applications and data services accessed via the API to deliver deep knowledge on how each API is accessed and used.

Combine strong API behavior analytics with security expertise and data science

Identify good and bad API traffic with advanced mathematical modeling.
Utilize self-learning to save security analysts from having to write or update rules.
Adapt automatically to changing environments.

Gain rich API traffic visibility, forensics and compliance reporting

Obtain unique insight into API activity with dashboards and in-depth reporting for each API.
Automatically identify the APIs in your infrastructure.
Accelerate gathering of evidence after an attack to expose all activity.
Simplify investigations and track compliance with optimized reports.

Stop API cyberattacks with threat detection and automated blocking

Detect hackers instantly with API-based deception.
Automatically discover malicious activity by bots, external hackers and insiders.
Terminate identified attacks automatically across all nodes and API gateways.

Preserve investments in API infrastructures

Deploy within existing API infrastructures, including APIs on application servers or in API gateways.
Integrate with all popular API gateways for “drop-in” deployments.
Deliver security and visibility unification across all API gateways and APIs.

PingIntelligence for APIs combines real-time security and AI analytics to detect, report and block cyberattacks on data and applications exposed via APIs. Its artificial intelligence engine brings cyberattack protection and deep insight into API activity to existing API gateways and API management platforms, as well as APIs implemented directly on App Servers, such as Node.JS, WebLogic, Tomcat or WebSphere.

PingIntelligence provides automated AI-powered cybersecurity, including these specific capabilities:

API auto-discovery of all active APIs.
API activity audit trails for deep insight, compliance and forensic reports.
Identification of cyberattacks on APIs and data/systems.
API deception to instantly detect hacking.
Automatic blocking of API threats.

PingIntelligence can be deployed in hybrid clouds, public clouds and on premises. This self-learning solution requires no signatures, security rules or policies to write and is optimized for REST and WebSocket APIs. Because it does not depend on rules or knowledge of attack patterns, it can catch attacks that are new or changing. PingIntelligence for APIs consists of two core components:

API Security Enforcer (ASE)

With both inline and sideband deployment options, ASE deployments support the best fit for an organization’s API architecture. An inline configuration offers a high-performance reverse proxy to protect APIs deployed on API gateways or directly on application servers. A sideband configuration works with API gateways and/or PingAccess to provide the same AI-powered attack detection and comprehensive insight, without requiring network or infrastructure modifications. Both options can be deployed in clusters and launched on demand when auto-scaling.

AI Engine

The execution of AI algorithms detects in near real-time any cyberattacks targeting data, applications and systems via APIs. Attack information is automatically provided to all ASEs (or other systems) to block ongoing breaches directly or via the API gateway, as well as prevent reconnection. AI Engine can be deployed in clusters and added on demand to address capacity needs.

PingIntelligence for APIs’ AI engine uses specialized algorithms to inspect and track all API sessions’ metadata, including client information, API information and request/response flows. The AI engine continuously looks for abnormal behavior and can identify stolen tokens/cookies, data exfiltration and other types of advanced API attacks missed by traditional API security tools.

PingIntelligence identifies attacks that go undetected by traditional security solutions, including WAFs, such as zeroday attacks and attacks from users with valid credentials. These attacks—which represent over 90% of attacks on API infrastructures—may include account takeover attacks, data theft attacks, data manipulation attacks, attacks with stolen tokens, DoS/DDoS attacks on APIs that stay below gateway rate limits, attacks that reverse engineer the API to identify vulnerabilities and get to data, fuzzing attacks and others.

Unlike traditional security platforms, the AI engine automatically learns expected traffic behavior across API environments and does so on a per-API basis. When an attack is detected, it instructs all API gateways and/or PingAccess to start blocking the requester. PingIntelligence works across your APIs, regardless of which tool is used for issuing tokens and managing identities, effectively providing an additional security layer on top of your foundational API security infrastructure.

The ASE forwards API traffic metadata from the Gateway into the AI Engine and blocks information from the AI engine to the API gateway.

1. Hacker reverse-engineers API to use it outside the app.

2. Hacker uses the API in unintended ways to find vulnerabilities.

3. Private data breaches through the API gateway.

4. AI Engine detects anomaly and instructs API Security Enforcer (ASE) to block source of traffic. ASE passes this blocking information on the API gateway thus stopping the attack.

Detect Attacks

PingIntelligence for APIs can detect many types of cyberattacks, most of which are not visible to API teams today and can go undetected for very long times. PingIntelligence protects against three main types of attacks, specifically:

2.1

Authentication System Attacks

Login system attacks: Bad actors use credential stuffing and other brute force attacks to test valid credentials from the dark web to determine the validity of these credentials. They then utilize the compromised credentials to access API services. Bots may execute aggressive attacks or run slower attacks designed to blend in with normal login failures.

Account takeover with stolen credential attacks: Stolen credentials acquired via man-in-the-middle and other attacks are used to penetrate and take over accounts. These credentials include stolen tokens, cookies or API keys which may be used by the hacker to access data authorized to the compromised client.

2.2

Data and Application Attacks

API takeover attacks: Hackers use a valid account to reverse engineer the API and access other accounts using the vulnerabilities they found. Theft of data and private info follows, as well as the takeover of other accounts. Meanwhile, the hacker looks like a normal user at all times since they are using a valid account.
Data extraction or theft: Hackers use APIs to steal files, photos, credit card information and personal data from accounts available through an API. Since normal outbound activity on one API may be an attack on a different API, PingIntelligence uses its deep understanding of each API to block both normal and extended duration data exfiltration attacks.
Data scraping: APIs are commonly abused by bots which extract (scrape) data for subsequent use (e.g., competitive pricing) which can negatively impact your business. Data scraping attacks can be executed on the API service directly and can run over extended time frames to avoid detection.
Data deletion or manipulation: A disgruntled employee or hacker could delete information to sabotage systems or change data to compromise information.
Data injected into an application service: A hacker can load large data files to overrun system memory or inject excessive data to overload an API service.
Malicious code injection: A hacker may inject malicious code, such as key loggers, which could compromise other users accessing the service.
Extreme application activity: A hacker can generate calls that require unusually high system resources which can overwhelm a backend and cause an application-level denial of service.
Probing and fuzzing attacks: A hacker may look for coding flaws which can be exploited to expose unintended content. The hacker may also try to mask the activity by probing the API over long time periods. These attacks can be used to force API errors to uncover IP and system addresses that can then be used to access resources.
Fraudulent user access: A hacker compromises a user’s account and then exercises anomalous activity including excessive session length, odd API access patterns and extreme session activity.
Invalid API sequence traversal: A user accesses a series of APIs in a highly abnormal order.

2.3

API DOS/DDoS Attacks

Targeted API DDoS attacks: Hackers tune attacks to stay below rate limits and exploit API vulnerability with finely crafted API DDoS attacks to disable services provided by the API or damage the user experience. Existing anti-DoS/DDoS security solutions can’t stop these attacks, but PingIntelligence for APIs uses AI to identify and block them.

Extreme client activity: A bot or hacker may generate extreme levels of inbound activity on an API service.

In 2019, the OWASP API Security Top 10 was released to educate organizations on the leading threats and vulnerabilities of APIs. As part of an API security strategy, PingIntelligence for APIs can help an organization defend against threats on this list, including excessive data exposure and lack of resources and rate limiting, in addition to detecting anomalies in API traffic.

By analyzing client behavior on the API services, PingIntelligence can detect attacks where hackers have discovered vulnerabilities that circumvent the intended authorization systems or deviate from normal usage of the API service.

Block Attacks & Manage False Positives

Once detected, attack information is maintained in a blacklist. As part of its API traffic intelligent modelling, PingIntelligence implements a threshold concept in its AI engine. This boundary effectively delimits a “no man’s land.” When a user is in that zone, the user is considered a hacker and not a normal user.

Because the probability of having a normal user in the no man’s land is very small, PingIntelligence classifies these situations as attacks and will block corresponding connections. Blocking or not blocking can be configured per API, per attack type and per user. IT has the flexibility to decide when to block or not. Blocking can be based on an IP address, a token, a user identity, a cookie or an API key. Malicious users often use valid accounts when they attack APIs. The ability to block by user identity lets PingIntelligence for APIs react to these situations. IT can review which user identities are blocked by consulting the PingIntelligence for APIs dashboard and take additional actions such as revoking these users’ access beyond the APIs.

In most instances, the user is blocked based on a token or cookie. A blocked user with valid credentials would normally re-login, get a new token or cookie and get back to business naturally. If the user keeps returning to that no man’s land, but proves to be a legitimate user, IT can adjust the boundaries and remedy the situation.

To address false positives, PingIntelligence provides a tool that lets an operator flag a detected attack as a false positive and unblock a user. To remedy recurring blocks, the tool will also adjust the no man’s land boundaries for the affected API if needed.

Furthermore, blacklists leveraged by ASEs can be augmented with information from other blacklists in the organization, such as an IP or device reputation list. Using an API provided by PingIntelligence for APIs, an organization can automate the augmentation of these blacklists.

Gain Deep API Traffic Insights

PingIntelligence for APIs dynamically discovers deployed API services including host name, base path, protocol, content type, methods, URL paths and API servers. This information delivers a view of active APIs (i.e., only paths accessed by clients are discovered) and can be reviewed to properly secure APIs that were unknown to the security team.

Even in organizations with strict API governance processes and tools, PingIntelligence for APIs provides valuable insights on the APIs in place. This additional list of APIs is produced through the lens of API traffic-based analytics and can be contrasted with lists from API governance tools. The information is also used to auto configure the PingIntelligence system without importing API definitions.

Using the AI engine, the API definition is dynamically built by analyzing the API traffic and capturing the necessary information to enable PingIntelligence to detect attacks and report on the API. As long as API traffic is made visible to PingIntelligence by either routing it through ASE in inline mode, or by applying sideband policies to it from API gateways, new APIs are discovered on an ongoing basis, not just during the initial training phase. After the discovery process is complete, the AI engine can start the training process to build AI models for attack detection and generate reports on API activity.

Operations personnel are notified of newly discovered APIs by the PingIntelligence for APIs dashboard. The following screenshot shows the main dashboard along with a screenshot of information about a discovered API.

The dashboard also provides pictorial views of API attacks and includes API specific dashboards to see more detailed information about each API. The following screenshot shows an API-specific dashboard.

A user-specific dashboard provides a detailed analysis of historical API traffic for a specific user identity across all APIs. You can also view API traffic analysis per token and per IP address.

Three types of reports are generated and available to analysts who want more detailed information:

Activity reports provide insight into all client events on each API, including paths accessed, methods, etc.
Attack reports generate lists of client identifiers detected (e.g., tokens) and of each attack type (e.g., data exfiltration).
Forensic reports enable security analysts to review all API activity leading up to an attack for a specified client identifier.

PingIntelligence for APIs delivers complete tracking of all API activity for forensic and compliance reporting, down to every command or method used by anyone on any API for any time period. The activity reports provide a summary of API access including paths traversed, methods used and other information. These reports can be generated for a specified timeframe for a given API. The data from these reports is itself available through an API that can be leveraged to enrich existing dashboards that may exist outside PingIntelligence. All of the data is neatly structured using JSON as illustrated in the example of a token-based activity report that follows.

Forensics reporting provides a complete picture of the activity that occurred during an incident. This facilitates compliance and investigations. Forensics also help repair the damage that occurred prior to the automatic detection and blocking of a breach.

The attack and activity report events can also be fed to a variety of systems, including integrating with Splunk. All API attack and report activity is searchable in the Splunk database, and individual events can be sent to a custom Slack channel that is monitored by operations.

Deceive & Catch Hackers

PingIntelligence for APIs also provides a deception environment (a honeypot) that allows for the creation of decoy or fake APIs. Once one of these APIs is touched by a hacker, PingIntelligence instantly identifies the source of the attack and blocks any access to production APIs.

These API decoys use a hacker’s tendency to poke around in ways that applications do not, accelerating the detection and blocking of breaches. A dedicated dashboard is available for decoy API access, and detailed reports are accessible via the API engine. Additionally, API paths that hackers have attempted are reported on and can be used to create additional fake/decoy APIs to use as traps.

Deploy the Way That Works Best for You

With both inline and sideband deployment options available, your IT team can deploy PingIntelligence for APIs however it best fits in your enterprise architecture. The inline model offers a high-performance reverse-proxy to protect APIs deployed on API gateways from Axway, Apigee, CA, IBM, Kong, Mulesoft, Tibco, Tyk, Red Hat 3Scale, SoftwareAG, WS02, Gravitee.io and more, as well as APIs deployed directly on application servers. And the sideband model works with API gateways and/or PingAccess to provide the same AI-powered attack detection and comprehensive insight, without requiring network or infrastructure modifications.

6.1

Sideband Deployment

PingIntelligence for APIs integrates with existing API gateway deployments in a mode known as Sideband. In such a deployment, PingIntelligence for APIs is “dropped in” on the side of the API gateway and communicates with the gateway to analyze the metadata of the traffic flowing through it. A configuration policy is installed on the gateway to enable the communication with PingIntelligence.

PingIntelligence AI cluster analyzes traffic flowing through one or more gateways for traffic visibility and breach/bad traffic detection.

PingIntelligence for APIs supports sideband integration with PingAccess, as well as all leading API gateway platforms including those from Amazon (AWS API Gateway), Google/Apigee, MuleSoft, IBM (Datapower/API Connect), Akana, Kong, Axway, NGINX/NGINX Plus, F5 BIG-IP, CA/Broadcom (Layer 7), WSO2 and Azure API Gateway.

Multi-cluster, Hybrid & Heterogeneous Capabilities

PingIntelligence for APIs’ flexible architecture enables organizations to align their API cybersecurity deployments with their individual API gateway architecture. Gateway sideband policies can be configured to support high availability deployments where sideband calls are sent to a primary and secondary/failover ASE node. Clusters of API gateways can also communicate with a single cluster of PingIntelligence for APIs nodes. If the primary ASE node fails, then sideband calls are sent to the failover ASE cluster node. You can even grow clusters of ASE nodes dynamically alongside the gateway cluster to scale up. Furthermore, failover and dynamic scaling is achieved through AI engine scaling, and ASE nodes dynamically discover new AI Engine nodes as they are deployed.

PingIntelligence supports single and multiple site sideband deployments with multi-vendor API gateway clusters. In addition, PingIntelligence for APIs can be deployed across API gateway clusters themselves deployed across multiple clouds and using heterogeneous technologies as illustrated here.

When deployed in a multi-vendor gateway environment or in environments with a mix of APIs on app servers and APIs on gateways, Ping Intelligence effectively delivers security and visibility unification across all API gateways and APIs.

6.2

Inline Deployment

In addition to sideband deployments, PingIntelligence for APIs allows for an Inline deployment where it can be deployed in front of APIs, as well as in front of or behind API gateways.

In the inline deployment mode, ASE sits at the edge of your network to receive the API traffic. It can also be deployed behind existing load balancers such as AWS ELB. In inline mode, API Security Enforcer terminates TLS/SSL connections from API clients and reinitiates them to deliver encrypted flux to the back end. It forwards the requests directly to the APIs on API gateways or application servers such as Node.js, WebLogic, Tomcat, PHP, etc.

When running inline, PingIntelligence for APIs provides additional functionality which would otherwise be the responsibility of an API gateway in sideband mode. This functionality includes:

Protecting the identity of API services: ASE hides API identities to protect applications from the outside world with name and error message obfuscation.
- Name mapping: administrators define public names for the application server and APIs. These names are mapped in the ASE configuration to corresponding private API names. ASE transforms the names in real time, so the client only sees the public name.
- Masking API error messages: when responding to an error condition, an application server may generate stack traces which may contain server names and implementation details or expose confidential information. ASE substitutes a custom error message with minimal information to protect against inadvertent disclosures.
Enforcing expected API behavior: each API configuration includes supported commands/methods, content type and protocol type. In real time, ASE inspects, blocks and logs traffic which does not conform to expected behavior. For example, if HTTP DELETE is not a valid API method, traffic is blocked, and the attempt is logged.

Conclusion

As indicated by news reports of API-based breaches, attacks against APIs can go undetected for months, sometimes years. By mining the big data available in your API traffic, you can proactively hunt for these threats using the power of artificial intelligence, plus gain deep insight into all API activity. PingIntelligence for APIs integrates into your existing API infrastructure to help you protect your organization against these new emerging threats.

To experience the power of PingIntelligence for APIs for yourself, sign up for a free, no-obligation trial.

Try Ping

#3438 | 05.19.2020 | v008