API Deception

ASE supports configuration of decoy APIs, either the for in-context or out-of-context mode. If a client accesses an ASE decoy API and later tries to access a legitimate API, ASE drops the connection and blocks the client from accessing any non-decoy APIs. ASE Admin Guide provides more information on API Deception Environments.

Report ASE real-time decoy attack detection

ASE sends information about clients accessing decoy APIs to ABS which does further analysis and generates an API Deception report with type ID 100. Here is an example ABS REST API to generate an API Deception report:

https://192.168.11.138:8080/v4/abs/attack?later_date=2018-07-16&earlier_date=2018-07-16&api=atmapp&type=100

{
 "company": "ping identity",
 "attack_type": "Decoy Attack",
 "name": "api_attack_type",
 "description": "Clients accessing decoy APIs",
 "earlier_date": "Mon Jan 01 12:00:00:000 2018",
 "later_date": "Mon Dec 31 02:28:00:000 2018",
 "api_name": "atmapp",
 "ips": [
 {
 "ip": "100.64.38.140",
 "details": [
 {
 "access_time": "Sun Jan 28 19:59:29:395 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 19:59:29:395 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 21:18:01:501 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 21:18:01:501 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 21:18:01:501 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 21:18:01:501 2018",
 "attack_code": "decoy"
 }
 ]
 },
 {
 "ip": "100.64.38.144",
 "details": [
 {
 "access_time": "Sun Jan 28 19:59:29:395 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 19:59:29:395 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 21:18:01:501 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 21:18:01:501 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 21:18:01:501 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 21:18:01:501 2018",
 "attack_code": "decoy"
 }
 ]
 }
 ],
 "cookies": [],
 "access_tokens": []
}

Decoy API

When decoy APIs are configured in ASE, then ABS generates decoy API reports with detailed information on all client access to decoy APIs including ASE detected violations. Here is a decoy API URL: <ABS_IP>:port/v4/abs/decoy?earlier_date<>& later_date<>

{
 "company": "ping identity",
 "name": "decoy_api_metrics",
 "description": "This report contains detailed information on client access to each decoy API
 ",
 "later_date": "Tue Jan 11 18:00:00:000 2018",
 "earlier_date": "Tue Jan 11 17:50:00:000 2018",
 "api_name": "atmapp",
 "api_type": "decoy-incontext",
 "decoy_url": [
 "/atmapp/decoy"
 ],
 "summary": [
 {
 "decoy_url": "/atmapp/decoy",
 "unique_ip_count": 122,
 "total_requests": 240,
 "most_used_methods": {
 "GET": 88,
 "DELETE": 32,
 "ABDU": 32,
 "POST": 30,
 "PUT": 26
 },
 "most_used_ips": {
 "100.64.9.37": 4,
 "100.64.10.79": 4,
 },
 "most_used_devices": {
 "UBUNTU": 76,
 "MAC_OS_X": 69,
 },
 "most_used_content_types": {
 "UNKNOWN": 184,
 "multipart/form-data": 56
 }
 }
 ],
 "details": [
 {
 "decoy_url": "/atmapp/decoy",
 "source_ip": [
 {
 "ip": "100.64.31.183",
 "total_requests": 2,
 "method_count": {
 "GET": {
 "count": 2
 }
 },
 "url_count": {
 "/atmapp/decoy": 2

See ABS external REST APIs for a full report.