Blog

Attack Detection and Threat Hunting – Common Topics We’re Asked About

August 1, 2024 | 4 MIN READ

by Jeff Harrell

A stylized topographical map with a warning sign at the peak.

This article is the fifth in a series of five covering key API security topics and provides some answers to common questions we often get when talking to potential customers. The series will cover the following topics:

API security needs are specific to individual organizations and their particular market or industry, and the Cequence Unified API Protection platform was developed with that in mind – it’s highly flexible, customizable, and built to grow with your business.

This article focuses on attack detection and threat hunting, which is a foundational component of the Cequence Unified API Protection platform. Attack detection and threat hunting is greatly simplified with Cequence compared to competitors that rely on data lakes to perform offline, delayed threat hunting. Cequence’s inline or passive deployment options not only enable the platform to identify and mitigate threats in real time but also offer opportunities for near real-time threat hunting for truly novel attacks. Cequence is able to either mitigate natively (in the case of inline deployment) or pass the attacker identifiers off to a third party, such as a WAF, for mitigation (in the case of passive deployment). Mitigation options include logging, rate limiting, deception, and blocking.

The following are some common requirements that we’ve heard voiced by potential customers:

Explorable Transaction Data Lake

Cequence stores anonymized customer data for short-term for real-time analysis, and supports long-term data retention (e.g., data lake) as an add-on SKU. Cequence’s ability to detect and mitigate threats in real time obviates most of the need for a data lake. Other vendors require a data lake to do their analysis and detection, delayed though it may be. Once threats are detected in the vendor’s data lake, they must then rely on a third party (such as a WAF) for mitigation or blocking. Cequence’s real time capabilities are much more efficient, so long term data storage is rarely needed for threat hunting and analysis.

Correlate and End-To-End Connect All Application API Transactions

Cequence includes a graphic capability that graphically visualizes end-to-end API flows with an attractive, easy-to-understand interface. This capability enhances security team visibility by distinguishing between normal and malicious traffic, enabling personnel to quickly identify and take immediate action on any malicious activity with a single-click in a fully integrated way without relying on third party products such as a WAF.

Deep API Transaction Context for API Incident Response and Threat Hunting

Cequence offers native real-time threat detection and protection without relying on a third-party tool such as a WAF. Cequence has taken a very different approach to API attack mitigation using multi-dimensional machine learning (ML) techniques to analyze user behavior without requiring any client-side or application integration or instrumentation. Cequence analyzes behavioral intent across web, mobile, and API traffic, detecting legitimate behavior without relying solely on IP addresses, which can change or be spoofed. Conversely, attack traffic is identified by its behavior as well, which is continuously determined and learned by the ML models. This approach actively “fingerprints” incoming requests based on the similarity of their behavioral traits, as analyzed by the ML models. Additionally, the open platform allows customers to import security intelligence and export it into third-party systems like SIEMs, anti-fraud tools, firewalls, and IDS/IPS systems.

Capture And Store Good, Suspicious, And Bad API Traffic for Analysis

Cequence not only captures and stores good, bad, and suspicious API traffic, but also fingerprints it using behavioral fingerprinting, providing the ability to track attacks as attackers retool. Traffic is stored by default for a short term, and optionally indefinitely in a data lake.

Some of the other areas of attack detection and threat hunting where Cequence excels:

Analyze the body/payloads of requests and responses
Detect suspicious client requests based on IP reputation
Identify geo-location of API calls to help with API risk assessments
Use IP Intelligence to assess API endpoint risk and set policy
API Performance metrics, call and error patterns
Share data with SIEM, SOAR, and ITSM systems

There are certainly other facets of attack detection and threat hunting, but these are some of the topics we hear about most frequently. Check out the other articles in this series, or our eBook,Ten Things Your API Security Solution Must Do.

Jeff Harrell

Author

Jeff Harrell

Director of product marketing

Jeff Harrell is the director of product marketing at Cequnce and has over 20 years of experience in the cybersecurity field. He previously held roles at McAfee, PGP, Qualys, and nCircle, and co-founded the company that created the first commercial ad blocker.

Related Articles