Behavioral Analysis & API Security: After the Fact and Behind the Curve

Behavioral analysis and ML/AI pattern recognition won't stop many of the most common API attacks.

Behavioral Analysis & API Security: After the Fact and Behind the Curve


Application Programming Interfaces (APIs) are the critical bridges between business logic and data, enabling applications to communicate, share data, and work together seamlessly. APIs underpin a wide range of technologies, from mobile apps to cloud services, forming a near-ubiquitous presence in modern life.

As APIs have evolved, so too has their attack surface. Cybercriminals have never had a wider attack surface than they have today, and that scenario is only going to grow. Proper security, then, is not just a good idea or a best practice, but is instead a fundamental requirement for any internet-connected service.

But how is one supposed to defend against a threat that is ever-evolving, shifting and growing in both sophistication and potential damage?

Behavioral Analysis

As attacks have grown more complex, many have pivoted to a security posture that is heavily dependent on data and analysis. One element of this posture is behavioral analysis. A system that uses behavioral analysis utilizes an understanding based around typical, “normal” patterns of API requests, responses, and behaviors. This forms the core theory of what is “correct” within a given API’s context, and any deviation from that – say, an attack on a critical resource which uses an endpoint in a way that it was not designed to be used – can possibly be detected and mitigated.

Instead of just relying on signatures, behavioral analysis systems will detect behaviors over time, creating a model of frequency, types of interactions, sequence of actions, response metrics, etc., which allows the system to grow its understanding of the threats as the threats evolve. Any deviation from this understanding of the threat can then be considered “incorrect”, both allowing immediate response and then long-term learning to establish a new baseline which recognizes this particular type of attack in the future.

Artificial Intelligence and Machine Learning

This behavioral analysis approach has been bolstered by recent developments in Artificial Intelligence (AI) and Machine Learning (ML). AI and ML are designed to recognize patterns and to generate understanding based upon those patterns, making them a perfect fit for this kind of approach. AI and ML can be set to learn the typical behavior as a baseline, but can also be used to extend this understanding dependent on more critical context to learn from this and adapt.

AI and ML-driven solutions are important, as they offer a training regimen for a behavioral system. Behavioral analysis can only look at the actions upon a system to learn what is “correct” and “incorrect” within a rather strict gradient. AI and ML systems, however, have the potential to  be more vague and adaptive, digging deeper into the actions and behaviors to form a better system.

A huge benefit of integrating AI and ML into behavioral analysis is the increased capacity of the system at large. Behavioral analysis can be very resource intensive, scaling cost with complexity. AI and ML, however, can short-circuit some of this by training their algorithms and systems upon other data sets and systems. By bundling lessons learned from other data sets with active behavioral tracking for the “home” system, patterns can be learned across the web, enabling more effective response to new problems as they arise.

The Curse of Reactivity

Unfortunately, behavioral analysis is often simply not enough, whether driven by AI and ML or not. This comes down to a fundamental truth – behavioral analysis is ultimately reactive by design. Behavioral analysis depends on detecting something being “out-of-band” – as such, an issue must occur first before a problem can be reacted to. 

In the web space, the initial breach or intrusion can often have dire consequences regardless of what follows. Data can be exfiltrated, systems can be compromised, and vulnerabilities can be implanted for future exploitation, all in the span of a few moments. Waiting to learn from such incidents is akin to shutting the barn door after the horses have bolted. For many organizations, especially those dealing with sensitive data like financial institutions, healthcare providers, or government agencies, even a single breach can be catastrophic in terms of financial, reputational, and regulatory repercussions.

In essence, instead of mitigating a threat, “out-of-band” solutions largely end up just documenting the issue once the damage is done for future prevention.

Non-Contextual Mitigation

A big cause of this issue is the simple fact that behavioral analysis is often detached from real-time context. Because the problem is being mitigated post-processing and not during traversal, the immediate situational context that is required to truly mitigate the problem as it's happening is often missing.  This results in behavioral systems relying almost entirely on network traffic data. Besides the fact that this data is very specific to the implementation and the case at hand, there is also the major problem that this fundamentally packs any sort of application-layer context, resulting in data that is of far less utility than it might seem at first glance.

Overall, this increased contextualization in data provides a large amount of information that could be used to evaluate the severity of the attack, the broader context of the attack within the holistic system, and even the threat of continual damage. Instead, behavioral analysis largely says “yeah, that wasn’t good, we should stop it next time”.

False Positives

There’s also the omnipresent problem of false positives. Because behavioral analysis requires an understanding of what is “normal”, anything that deviates – whether that deviation is prompted by first-time users, developers and users with legitimate use cases or not – will be considered wrong. This leads to a large amount of false positives, which can ultimately make a system less effective through three core issues.

The first of these issues is that false positives are distractions. When you are only dealing with one or two false positives, it’s easy to discern the noise from the threat. The reality is, however, that these systems are only growing more complex and more interconnected. As this complexity grows, so too will the amount of false positives, increasing the ratio of noise to threat and potentially distracting from real problems. 

“The problem of any anomaly-based model is its high false-positive rate.”


Second, and perhaps more critical, is the fact that false positives lead to alert fatigue. Alert fatigue is when a solution generates so many alerts that the security team becomes “blind” to them. When this occurs, real problems are more likely to slip through defenses, and the fatigue that is introduced can be exceptionally damaging over time, leading to a weaker security posture and a poorer performance in practical applications.

Finally, an exceptionally high level of false positives also reduces credibility of the security solution. You are supposed to be able to trust your solution to do the right thing and give you actionable information. When you no longer trust your solution, you are more likely to miss problems as they arise, thereby reducing effectiveness while still gaining all the negatives of the system in question.

These issues lead to one mega issue that is simply unavoidable – the “attacker’s advantage”. The core concept here is that before a system can learn from an anomaly and categorize it as a threat, the attacker has likely already achieved some level of success. This creates a “learning gap”, where the first instance of a new attack could bypass the security measures designed to mitigate it simply because they have not been recognized, classified, and learned from yet.

Proactive, Not Reactive

In many scenarios, allowing attackers even a brief window of opportunity is simply unacceptable. Learning after the fact, while valuable for future reference, doesn't offer much when dealing with the immediate aftermath of a security incident, and it certainly can’t undo the damage that has likely already been done. Relying solely on post-breach learning is akin to treating the symptoms rather than preventing the ailment.

Security strategies need to anticipate and block potential threats, rather than merely reacting to them, to ensure robust and uncompromising protection. When billions of API calls are made every day, the interval between an attacker's initial move and the potential fallout can be mere seconds. These attacks, especially when automated and orchestrated using advanced tools, can compromise systems, steal data, or cause operational disruptions in real-time. Playing catch-up with a behavioral system is not enough.

Accordingly, a proactive approach to API security which emphasizes stopping threats before they manifest has to be a critical part of the modern data security approach. Real-time monitoring, pre-threat analysis and introspection, immediate response mechanisms informed by proactive monitoring, and other such mechanics can mitigate and minimize potential damage while keeping systems safe and operational.

Given the reactive nature of behavioral analysis, it's essential to complement such systems with inline analytics, context-aware security measures, and proactive surveys to identify likely threat vectors. The security posture must be multi-layered, and it must be built with systems that are constantly vigilant and learning to preempt known and emerging threats.

FireTail As a Solution

FireTail offers one of the most feature-complete solutions to deliver true end-to-end security that is proactive and effective.

Stay Ahead of Threats with Alerting and Monitoring

FireTail enables systems to get ahead of threats. Instead of just responding to a problem, FireTail helps users set specific conditions, metrics, and thresholds for active and contextual detection and response to security events. Active monitoring is one of the most effective approaches security professionals have to mitigating problems in real-time, and FireTail offers this in spades! FireTail’s alerts aren’t just highly effective, they’re also highly customizable – alerts can be tuned to the right context, the right scenario, and the right data flow. With FireTail, you’re in control of the how and why of your alerts system.

Holistic Security Posture Management

With Security Posture Management, users can gain a comprehensive visibility of the underlying API system and its security components in a single, centralized dashboard. This top-down view of your security posture allows for a more comprehensive overview of the holistic security offering, accelerating maturation, improving visibility, and connecting security professionals with the keys they need to secure the kingdom.

Effective API Auditing with API Audit Trail

FireTail offers a comprehensive auditing system for better logging and insights. This centralized system grants unprecedented insight into events, creating a long-term log that can be audited against potential breaches, incident responses, and custom events!

API Inventory Management

The API Inventory feature allows developers and providers to fully understand their API system, tracking and managing APIs with ease. Proper security can only be maintained through robust understanding of the underlying system, and this Inventory solution delivers just that.

Agentless Integration Delivers API Security

Utilize FireTail’s cutting-edge agentless integration to detect and record API actions behind AWS's default API gateway, guaranteeing thorough oversight without needing extra agents.

Enhanced Security and Deployment

With just a few lines of code, you can seamlessly deploy the FireTail library to achieve application-layer visibility across all of your APIs, enabling real-time API call inspection, malicious call blocking, and centralized logging.

Schedule a demo today to see what FireTail could do for your API security strategy.