Learn about the Salt + CrowdStrike Falcon integration

Learn more

Mapping the MITRE ATT&CK Framework to API Security

Nick Rago
Feb 9, 2023

With hundreds of contributors, the MITRE ATT&CK Framework has become a vital resource of open source knowledge for the security industry. CISOs and cybersecurity professionals around the globe rely on the framework to increase their understanding about different cyber-attack tactics, techniques and procedures (TTPs). With insights about TTPs relevant to their specific platform or environment, organizations gain tremendous value to combat cyber threats.

The downside is that while the framework has many matrices, at this time, it has no specific API security matrix. Yet we all know that API security threats have skyrocketed, just as their usage has surged with enterprise digitalization initiatives. In fact, APIs now represent the largest attack vector for modern applications.

Defend yourself from API attacks by leveraging this security framework

The Salt Security State of API Security Report found that the average number of APIs grew 82% from July 2021 to July 2022. During the same time period, API attack traffic surged 117%, from an average of 12.22 million malicious calls per month to an average of 26.46 million calls.

On the positive side, despite the lack of an API security matrix, security leaders can still leverage the MITRE ATT&CK Framework to identify and defend themselves against these growing threats. Bad actors still frequently use many of the MITRE-outlined TTPs throughout the different phases of their API attack campaigns.

While not a “cure-all” approach, (as every API attack will always represent a zero-day attack), understanding the crossover of some of these attack methodologies can benefit security leaders. By recognizing the relationship between many of the TTPs identified in the MITRE framework and behaviors of attackers during their API attack campaigns, , organizations have an opportunity to:

  • Improve threat detection
  • Implement more effective incident response
  • Allocate security resources more effectively
  • Identify security gaps
  • Increase understanding of the scope of an attack and its potential impact

In our new White Paper, we have taken a close look at the MITRE ATT&CK Enterprise Matrix – essentially a superset of all the matrices. Many of the tactics in this matrix are also being applied in API attack campaigns. By analyzing where the tactics are being duplicated in API attacks, security leaders can better understand the attacker mindset and improve their API threat insights.

In our analysis, we have taken a deep dive into the following three common API security threats:

  • Broken object level authorization (BOLA)
  • Stolen credentials
  • Leaky public APIs

For each of these threats, we’ve mapped a typical attack lifecycle to the TTPs found in the Enterprise Matrix. We’ve outlined the steps that bad actors can take in each scenario from reconnaissance and phishing to evasion and data exfiltration or abuse. We’ve also shared the differences between the MITRE ATT&CK Framework and the OWASP API Security Top 10 – and why both are important educational tools in your API security arsenal.

In the future, we hope that API security threats will be added into its own matrix within the MITRE ATT&CK Framework. In the meantime, our report can help you understand how to defend against these attacks and develop more effective incident response plans by leveraging this well-known security framework. We invite you to download this complimentary resource.

If you’re interested in seeing the Salt Security API Protection Platform in action, contact us for a customized demo today!

Go back to blog

Download this guide for advice on evaluating key capabilities in API Security

Learn everything you need to know to keep your APIs secure

Get the guide