As cybersecurity teams work tirelessly to secure their computing environments and stay ahead of risks, two areas that stand out are external attack surfaces and Application Programming Interfaces (APIs). These two areas are not new but have been overlooked or not adequately addressed. Attack surfaces, internal and external, have been around a long time. APIs are the latest of these security concerns. We will first discuss Attack Surface Management (ASM), and next, we will discuss APIs. We will discuss why organizations must prioritize External Attack Surface Management (EASM). This article will discuss the elements of ASM and typical gaps in penetration testing and how to address these gaps. Finally, we will discuss using EASM to secure APIs.
Attack Surface Management (ASM)
We first need to understand ASM before discussing how to use it to reduce API risks. NIST defines ASM as “The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment.”
Elements of Attack Surface Management
ASM has been around for many years, but the ASM term is new. Other synonymous terms for ASM are vulnerability management and threat and vulnerability management. In recent years vulnerability management has been commonly used for vulnerability scanning. Vulnerability scanning is an essential piece of ASM.
Organizations can define attack surfaces and reduce risks through vulnerability scanning, vulnerability assessments, and penetration tests.
Organizations can define attack surfaces and reduce risks through vulnerability scanning, vulnerability assessments, and penetration tests. Vulnerability scanning should be done frequently on a recurring basis. While vulnerability scanning is helpful, it is not as effective as penetration tests. The dilemma is penetration tests cannot be done as often due to time and resource constraints. Penetration tests assess security from a threat actor perspective and are imperative in understanding the risks of vulnerabilities. Vulnerability assessments are like penetration tests but don’t include exploitation. Exploitation can be too risky in some environments like hospitals or in environments with technologies such as Industrial Controls Systems (ICS) and Supervisory Control and Data Acquisition (SCADA). A good Attack Surface Management (ASM) program should include recurring vulnerability scanning, vulnerability assessments, penetration tests, and constant monitoring of the attack surface to keep an accurate inventory of assets.
APIs and the Risks
In the constantly evolving world of technology, interconnectivity and integration have been a challenge. It is common for applications on multiple platforms to share resources such as databases. The advent of APIs has helped address these interconnectivity challenges. APIs are used with cloud, IoT (Internet of Things), ICS (Industrial Control Systems), and applications, including web and mobile. APIs make it possible and less complicated to provide seamless connectivity between diverse technologies. Although APIs are an effective technology capability, they can introduce vulnerabilities to attack surfaces providing threat actors with opportunities to exploit and gain a foothold into organizations. Just as other technologies present security risks, APIs are no different and they are needed to improve and optimize processes.
We must understand the risks and understand how to reduce those risks and exposures to attack surfaces. Attack Surface Management (ASM) is an effective method to address these risks. API vulnerabilities have become more common and are also a common threat vector for bad actors to exploit. API security is overlooked and sometimes not understood. As with a lot of other technologies, the people that develop, administer, and secure them may not have the required knowledge and training. The timelines were short, the technology got implemented, and the education part was missed. Cybersecurity professionals and IT staff sometimes are behind the curve with new technologies. Another example is IoT and cloud. Some professionals are still trying to play catch up and learn these new technologies.
Prioritizing External Attack Surface
Why prioritize the external attack surface? Although the whole attack surface should be addressed, the external attack surface is more accessible to threat actors and more difficult to define due to the challenge of discovering all Internet exposed assets. Included in exposed Internet-facing assets are APIs, which can be easily overlooked. Annual or biannual external penetration tests and recurring external vulnerability scans are not enough.
Addressing EASM Gaps and Optimization Opportunities
Compliance-based penetration tests have affected the way penetration tests have been performed. PCI DSS (Payment Card Industry Data Security Standard) compliance requirements increased the demand for penetration testing. A penetration test done to help satisfy PCI compliance does not address environments outside of the scope of PCI. Budgets, time, and efforts have been focused on PCI. Compliance-based penetration tests affected how penetration tests have been done in non-compliance assessments. Reconnaissance, including OSINT (Open-Source Intelligence), is often neglected or not conducted at all and can miss assets and vulnerabilities that are risks to organizations. It is hard to protect or assess assets that you do not know about, and unknown assets are a serious problem. Assets can be missed due to mergers and acquisitions. Incomplete asset inventories are common. Assets are easier to discover internally, but external asset inventories are more difficult to manage. Shadow IT has been a problem for years, but cloud makes it even easier for people to deploy servers and other cloud resources quickly. When done outside of an organization’s IT processes and procedures and security guidelines, risks can be introduced. Accurate asset inventories are important to reducing your attack surface.
The more time available for assessments, the more opportunity to discover vulnerabilities.
The overall attack surface is important, but the focus of this article is on external Internet-exposed APIs. We need to discover and assess all external-facing APIs, and once that is accomplished, vulnerabilities can be remediated and APIs can be secured.
Time and resources can affect the results of penetration tests. The more time available for assessments, the more opportunity to discover vulnerabilities. This can also be affected by the number of people testing. This has been one of the strengths of bug bounties and crowdsourced penetration testing. Adversarial emulation, also known as red teaming, helps assess not only security effectiveness but the effectiveness of security staff, incident response, and detection capabilities. Purple teaming is another opportunity for improving the security posture of organizations. Bug bounties and External Attack Surface Management (EASM) platforms are great opportunities to help address gaps in Attack Surface Management (ASM) programs. EASM platforms do a lot of the same tasks that are performed during vulnerability assessments and can provide exploitation guidance with some EASM platforms. These EASM platforms help uncover assets that are unknown through reconnaissance and leverage OSINT and help keep an accurate asset inventory.
Securing APIs with EASM
EASM follows a similar methodology to penetration testing or vulnerability assessments. The first thing required in EASM is defining the external attack surface. This is accomplished by performing reconnaissance, including OSINT, and to discover assets, including APIs. This can help with shadow IT issues, hosts that were overlooked in mergers and acquisitions, and build a more accurate external asset inventory. It is a constant process to keep a current and accurate asset inventory. Start with collecting all known IP addresses and domain names. Autonomous System Numbers (ASNs) and regional registrars are used to discover IP address ranges. Using the domain names, perform subdomain enumeration to discover all subdomains. Subfinder is a popular and effective tool for subdomain enumeration. Leverage Shodan, Crunchbase, and search engines to perform OSINT to uncover assets that may have been missed. Shodan is a search engine that is used to find servers and other Internet-connected devices and can be used to find vulnerable connected devices. Shodan is helpful for finding devices that other methods sometimes miss.
Crunchbase is a good resource for mergers and acquisitions, which can help in discovering assets. Google, Bing, and other search engines are great resources for uncovering assets. Google Dorks can be utilized for Google searches to improve your searches. Along with the known assets, take the IP addresses and subdomains discovered during the reconnaissance phase and perform port and service scans. Since the focus is on APIs, we will target web resources. These resources are not always on the common 80 and 443 TCP ports, so make sure to scan all 65535 TCP ports. Once the web resources are discovered, vulnerability scanning is the next step. Tools like AMASS can help with your scanning. AMASS is a popular tool for penetration testers and bug hunters. Once you have identified the web resources, you need to discover the API endpoints. Fuzzing is a good method for discovering APIs. APIs may be discovered during your scans. Kiterunner is a good tool for restful API discovery, and FUFF is a wordlist-based API discovery tool that takes a list of predefined words to detect APIs.
Automation or EASM platforms can be used to constantly perform the tasks described in this article. The time requirements are similar to a penetration test, so it can be very time and resource-consuming. Automation and EASM platforms make for a more consistent and repeatable process and make frequency possible. EASM platforms use automation, and some utilize Artificial Intelligence and Machine Learning.
Many thanks to Jason Haddix and Katie Paxton-Fear for their contributions to the cybersecurity community through their content, presentations, and education efforts.
The CyCognito platform is a cloud-native Software as a Service (SaaS) solution built to accelerate the remediation of risk from an organization’s Internet-exposed assets. Through continuous, automated organizational structure mapping, asset discovery, security testing, and issue prioritization, CyCognito fills skills and resource gaps and empowers security teams to prevent breaches and respond efficiently.
Reconnaissance reference: Jason Haddix’s “The Bug Hunter’s Methodology.”
API discovery credit: Katie Paxton-Fear aka InsiderPhD – My API Testing Automated Toolbox https://www.youtube.com/c/InsiderPhD
For further information on API penetration testing, get the new API hacking book by Corey Ball titled “Hacking APIs: Breaking Web Application Programming Interfaces.”
Publisher: No Starch Press