How to recognize and repel four high-risk attack types
After years of helping protect companies in a variety of industries, we’ve come to recognize four common attack types — and we know how to counter them. Today, we’ll take a look at the types of attacks you’re up against and what measures you can take to defend your web apps and APIs.
1. Credential stuffing
More than 80% of all breaches now involve the use of stolen credentials to access sensitive data, according to Verizon’s 2021 Data Breach Investigation Report. Attackers use these credentials to take over accounts, gain access to private internet of things (IoT) devices, and chain attacks by accessing account recovery email addresses. But while credential stuffing is the primary tactic for account takeover attacks, the signs of an attack are different from dictionary attacks or brute-force password guessing.
Generally speaking, credential stuffing attacks are frequently distributed over a large number of IP addresses so it appears that no single source is testing a high volume of stolen credentials. Attack indicators might include login attempts from atypical geographies of users or an increasing and unexpected number of failed login attempts. Another possible clue could be successful logins from suspicious IP addresses.
Instead of outright blocking all access, choose more calibrated tactics to confirm whether valid users are initiating login attempts. For example, require two-factor authentication, and set a baseline for and then monitor the volume of requests on key authentication actions like login attempts, email address resets, and password reset requests. Temporarily block requests that cross expected thresholds. Above all, equip yourself with security tools that offer visibility into specific types of authentication events. These are essential for detecting credential abuse.
This kind of flexibility is particularly important for businesses that focus on rolling out new features, patching code, and blocking attacks as fast as possible. If you use DevOps processes to develop, deploy, and manage your applications, you need alerting integrated into your communications channels for tracking issues and fixes. An application security tool that provides real-time feedback into the DevOps cycle can be the difference between dealing with an application security issue in real time or dealing with a breach after the fact.
2. API abuse
The explosion of native mobile and single-page web apps has brought with it a trend toward targeting data through APIs. As applications are increasingly deployed to cloud infrastructure and maintained by specific development or DevOps groups, RESTful APIs and microservices have proliferated. This growing popularity has made APIs a bigger target for attacks. In fact, injection attacks are included as a top security risk in both the OWASP Top 10 and API Top 10 lists.
Brute force attackers often find a critical API service and overwhelm it with requests, breaking an application because it can’t access an essential resource. More subtle attackers look for ways to use an API to their ends, stealing data by sending requests that appear legitimate. Often attackers look for APIs that allow anyone to guess identifiers for resources like user accounts or consumer rewards. If your API lacks security or has a broken authentication mechanism, it can open the system to abuse.
Attacks on APIs often appear legitimate but may contain strange patterns, use out-of-date credentials, or occur much more frequently than legitimate traffic. Indicators may involve unusually high volumes of API requests, invalid API requests, improper cookies, or attempts to connect from an untrusted device. Another giveaway that something’s wrong: API requests that lack proper authorization and come from unexpected geographic areas or attempt to access protected data.
You don’t want to block customers from accessing your cloud-based applications, so initial mitigation involves investigation of suspicious IP addresses and attack clusters that can reveal patterns in the attack that act as the basis for more extensive mitigations. Use a WAF that allows you to easily create rules to block attack patterns and API access based on IP or geographic areas your organization does not do business in.
3. SQL injection
Many websites connect to backend SQL databases. Because they are ubiquitous and contain valuable information, attackers try to access them through websites. These SQL injection attacks can uncover sensitive product data (like inventory information), collect data on users (like addresses, phone numbers, and credit card information), or steal usernames and passwords.
To automatically block attacks, you need highly accurate detection. While simple pattern matching can detect SQL injection, it’s also prone to false positives and can miss new attacks. Being able to block attacks based on exceeding a request threshold is essential. Depending on the cadence of the attack, you’ll want to scrutinize incidents to decide whether a specific group is targeting your data assets, then secure against those attempts.
4. Business logic
In business logic attacks, bad actors learn how an app works and try to abuse specific parts of its design to achieve their aims. They often leverage publicly allowed features to steal information, gain account access, cause service disruption or otherwise abuse an app in unintended ways.
For example, parameters passed to a server to maintain session state can be reverse engineered to provide elevated privileges for the attacker. Ecommerce sites offering discounts based on user profiles can be circumvented by changing the profile. An app for a concert venue that holds seats for five minutes can be manipulated by an attacker to reserve a high volume of tickets.
Because they use valid application features, business logic attacks can be hard to detect. To protect your company, you must track indicators of application abuse and put into place application controls that check potentially risky inputs like app resource usage and performance issues or anomalous API calls or use of services.
Once you detect an attack, you can block misuse using specific rules until you update the application with mitigations. The best security tools allow you to define rules based on signals extracted from the application — user interaction and external data, such as user agents, request parameters, cookies, and other data linked to attackers. By employing these rules, you can gain better visibility into the attack and define automated actions to respond and block the malicious attempts to abuse your application.
Choose the best tool for web defense
To gain better visibility into attacks on your apps and cloud infrastructure, you need security tools with flexible deployment options that work with edge tools to catch attacks you would otherwise miss. Your engineers need actionable data to help them fix bugs and improve their apps. The best web security tools also empower you to virtually patch issues to protect apps while providing decision-makers with the data they need about potential attacks so all stakeholders understand how threat actors attempt to leverage your web layer assets for their own nefarious means.