Deception and decoy API - PingIntelligence for APIs

Deception and decoy API - PingIntelligence for APIs - 5.2

PingIntelligence

bundle

pingintelligence-52

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.2 (Latest)

API Deception

If a client accesses an ASE decoy API and later tries to access a legitimate API, ASE drops the connection and blocks the client from accessing any non-decoy APIs. ASE Admin Guide provides more information on API Deception Environments.

Report ASE real-time decoy attack detection

ASE sends information about clients accessing decoy APIs to API Behavioral Security (ABS) which does further analysis and generates an API Deception report with type ID 100.

Here is an example ABS REST API to generate an API Deception report:

https://192.168.11.138:8080/v4/abs/attack?later_date=2018-07-16&earlier_date=2018-07-16&api=atmapp&type=100

{
 "company": "ping identity",
 "attack_type": "Decoy Attack",
 "name": "api_attack_type",
 "description": "Clients accessing decoy APIs",
 "earlier_date": "Mon Jan 01 12:00:00:000 2018",
 "later_date": "Mon Dec 31 02:28:00:000 2018",
 "api_name": "atmapp",
 "ips": [
 {
 "ip": "100.64.38.140",
 "details": [
 {
 "access_time": "Sun Jan 28 19:59:29:395 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 19:59:29:395 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 21:18:01:501 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 21:18:01:501 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 21:18:01:501 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 21:18:01:501 2018",
 "attack_code": "decoy"
 }
 ]
 },
 {
 "ip": "100.64.38.144",
 "details": [
 {
 "access_time": "Sun Jan 28 19:59:29:395 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 19:59:29:395 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 21:18:01:501 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 21:18:01:501 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 21:18:01:501 2018",
 "attack_code": "decoy"
 },
 {
 "access_time": "Sun Jan 28 21:18:01:501 2018",
 "attack_code": "decoy"
 }
 ]
 }
 ],
 "cookies": [],
 "access_tokens": []
}

Decoy API

When decoy APIs are configured in ASE, then ABS generates decoy API reports with detailed information on all client access to decoy APIs including ASE detected violations.

Here is a decoy APIURL :

<ABS_IP>:port/v4/abs/decoy?earlier_date<>& later_date<>

{
 "company": "ping identity",
 "name": "decoy_api_metrics",
 "description": "This report contains detailed information on client access to each decoy API
 ",
 "later_date": "Tue Jan 11 18:00:00:000 2018",
 "earlier_date": "Tue Jan 11 17:50:00:000 2018",
 "api_name": "atmapp",
 "api_type": "decoy-incontext",
 "decoy_url": [
 "/atmapp/decoy"
 ],
 "summary": [
 {
 "decoy_url": "/atmapp/decoy",
 "unique_ip_count": 122,
 "total_requests": 240,
 "most_used_methods": {
 "GET": 88,
 "DELETE": 32,
 "ABDU": 32,
 "POST": 30,
 "PUT": 26
 },
 "most_used_ips": {
 "100.64.9.37": 4,
 "100.64.10.79": 4,
 },
 "most_used_devices": {
 "UBUNTU": 76,
 "MAC_OS_X": 69,
 },
 "most_used_content_types": {
 "UNKNOWN": 184,
 "multipart/form-data": 56
 }
 }
 ],
 "details": [
 {
 "decoy_url": "/atmapp/decoy",
 "source_ip": [
 {
 "ip": "100.64.31.183",
 "total_requests": 2,
 "method_count": {
 "GET": {
 "count": 2
 }
 },
 "url_count": {
 "/atmapp/decoy": 2

For a full report, see ABS external REST APIs .