Traceable API Security Platform Updates – March 2024

March releases include enhancements to security analytics, new detections, and a new WAF integration. 

Here are the details on what’s new:

Enhancements to Security Analytics Power Investigation into Data Impact of Security Events

Last month we released Security Event Analytics to power deeper analytics of security events detected by Traceable. This month we have added additional attributes to security analytics to power investigation and forensics related to data access and potential data exfiltration. Security analytics for traces and events now allows you to filter and group API transactions by the data sets and data types that appear in API requests and responses. This is highly useful for security analysts investigating a potential data breach, data access violation or data exfiltration attempt. 

New attributes include:

• Request DataTypes – Data types are specific types of sensitive data (e.g. social security number, last name, password, bank account number, etc.). This attribute shows sensitive data types included in API requests.
• Request DataSets – Data sets are categories of data that specific data types can map to (e.g. PCI-DSS, HIPAA, auth info, etc.). This attribute shows sensitive data sets included in API requests. You can define custom data sets and data types in Traceable’s data catalog.
• Response DataTypes – This attribute shows sensitive data types included in API responses.
• Response DataSets – This attribute shows sensitive data sets included in API requests. 

Example use cases:

• Investigate impact to data following a security event: You are investigating a recent BOLA event and want to determine if any HIPAA protected data was exfiltrated by the threat actor. You can search event analytics using the Malicious Behavior attribute and the Response DataSets attribute to find BOLA events where HIPAA data was included in the API response.
• Investigate data exfiltration by a specific user: You become aware that an adversary compromised a legitimate user’s account and may have accessed sensitive data. To determine the scope of data access, you search trace analytics to determine if sensitive data was included in any API responses associated with the compromised User ID.
• Identify data-access related compliance violations: You are investigating a data breach and want to know if any PCI-DSS protected data was compromised. You can search traces by the attacker’s User ID and by Response DataType with PCI-DSS specified to identify any PCI-DSS protected data that was compromised in the breach. 

New Detections Protect your APIs from Introspection and Injection Attacks

We’ve added detection logic to provide additional security against three new attack vectors:

• GraphQL Introspection: GraphQL APIs commonly have an “introspection” feature enabled by default that allows a user to view the GraphQL schema and understand what queries it supports. The introspection feature can be abused by adversaries in the recon phase of an attack when they are trying to understand the capabilities of an GraphQL API in order to exploit it. Traceable now detects GraphQL introspection attempts. 
• Server side template injection: Web applications commonly use templating engines to dynamically render content. Server side template injection (SSTI) occurs when an attacker injects malicious code into a template. The malicious code executes when the compromised template is loaded server-side. In some cases, attackers may leverage this technique to take over the server or access sensitive data stored on the server. Traceable now detects SSTI injection payloads and blocks malicious requests.
• Email injection: Email injection attacks most commonly occur when attackers abuse contact forms on websites that lack strong user input validation. Contact forms, sign up forms, and other common user input forms on websites typically send an automated email upon completion of the form. Attackers can leverage this capability to send spam emails from a legitimate website’s domain. Traceable platform has improved its capability to detect email injection attacks like CRLF injection, etc.
• Improved protection against encoded payloads: Attackers often try to obfuscate malicious payloads by encoding them with multiple different encoding mechanisms like unicode or base64 encoding. This technique helps thwart detection by WAAP tools that rely solely on string or regex matching. Traceable has made multiple improvements to detect obfuscated and encoded malicious payloads.

Integrate Traceable and F5 Application Security Manager to Extend Protection

Traceable now integrates with F5 Application Security Manager (ASM) to support enforcement of custom blocking policies in the ASM WAF. The integration includes support for any custom-IP range rules and for threat actors, enabling you to enforce blocking in the WAF for threat actors identified by Traceable. Learn more about how to get started in our docs.