Web applications — and the Application Programming Interfaces (APIs) that enable businesses to connect their apps with partners and users — are a top prize for cyberattackers.

As the building block of today’s web applications, APIs have become the attack vector of choice due to their ubiquity and lack of understanding on how to best secure them. This is part of a worrying trend. A recent study from Gartner states that by 2025, less than 50% of enterprise APIs will be managed. This startling prediction is based on the fact that APIs have become a victim of their own success, and their growth is overtaking security teams’ abilities to manage them.

Making matters worse is that today’s threat environment is wildly complex. Attackers understand that a security team’s priority is to stop them — and they plan accordingly. Unfortunately, security teams armed with more traditional approaches are often unprepared for this reality. It is past time that security leaders look toward a new approach to secure APIs.

New cyberattack patterns require modern solutions

Attackers unleash armies of bots, morph IP addresses and create complex scenarios that make it nearly impossible to rely on the legacy approach — identifying signatures of known threats — to defend web applications and APIs.

There are currently two primary options for legacy threat detection solutions: “threat intelligence” and rules. Threat intelligence is typically nothing more than the ability to import known IPs, user agents, or other static characteristics about known bad actors. It is important to note, however, that not all threats fit neatly into these categories.

Rules are primarily pattern recognition elements that evaluate a single request and “match” it against a known list of malicious identifiers. While this approach will identify the unsophisticated attackers, mature and more modern attackers know these techniques all too well and are constantly evolving their cyberattack patterns to avoid detection. Because of this, security teams that attempt a rules-based approach face constant tuning while they play catch-up, which is both ineffective and time consuming.

Risk of rules in today’s threat landscape

Rules were feasible approaches when threats were immature and predictable, but those days are long gone. Consider these points:

• A rule requires someone to have conclusively identified a pattern in the attack that can be described in a static rule.
• New attacks are discovered all the time, meaning security teams must constantly create and apply new rules; this is a significant resource burden.
• Rules-driven security for web apps and APIs assumes the ability to clearly identify and label a threat as such.

What does this all mean for security programs centered on rules? As more and more rules are created, the strategy becomes more and more tenuous. Rules become quickly outdated and clutter the comprehension of how the solution is configured. And, in what may create greater business risk, rules often begin matching against normal application or user behaviors, forcing security teams to balance attack detection vs. blocking legitimate traffic. In 2022, with much commerce being “online first,” blocking legitimate traffic can be a death knell for some organizations, including small businesses. But, there is a better choice.

Using attacker behavior to defend web application & API security

Attackers rarely, if ever, follow a linear path in efforts to breach an adversary. Threats are multi-pronged, change over time and can shift patterns. Attacks may begin slowly and ebb over time before reappearing after a month or more. Attackers are also skilled in creating evasion techniques that make it extremely hard for a rule to serve as an effective line of defense. For instance, some threat actors understand security teams’ thresholds and deftly navigate a network without setting the alarm bells off.

To defend in today’s threat environment, companies must accept this reality. And, in this context, understanding the motivations and intent of the threat is key to defending web applications and APIs. Security teams must be able to identify the traits and behaviors of an attacker to identify, track and defend against today’s sophisticated security threats.

It is imperative that organizations identify key behavioral elements of an attack and respond before any lasting damage is done. Using attacker behavior to inform security defenses empowers organizations to effectively guard web applications and APIs, and puts attackers on their heels, forcing them to scramble and evolve their attack patterns to evade detection.

Organizations should look to further understand the threats they face through analytics. Continuously monitoring all users as they interact with an application or API while looking for key indicators of suspicious behavior is an important step in this process. Even better, work to track risk over time and across multiple applications.

This combination allows security teams to track suspicious and malicious users across multiple IPs as they use various evasion techniques and modify the attack parameters. The key to this approach is shifting from “pattern matching” against a single request to truly monitoring each user and their behaviors to increase efficacy without blocking legitimate traffic.

By tracking and analyzing the behavior of attackers over time, organizations can gain a much more complete and precise view of risk — both immediately and borne through low and slow attacks over time. This level of behavioral insight gives security teams the most complete defense against web app and API attackers. This insight puts security teams back in the driver's seat of their organizational security in a more proactive posture while leaving the legacy rulebook where it belongs: in the past.