As breaches increase and companies scramble to go from a defensive to an offensive approach, API-focused Noname Security has launched Recon, which simulates an attacker performing reconnaissance on an organization’s domains.
Recon works from a root-level domain to find other domains, shadow domains, sub-domains, APIs, vulnerabilities, and public issues that put the organization at risk, according to Noname. “Then we start looking at, both actively and passively looking at any API-related information pertaining to those domains,” Troy Leilard, regional solution architect lead ANZ, tells CSO.
Undocumented APIs are a big risk of attacks, as 62% of respondents of a Radware report from February 2022 admitted a third or more of APIs are undocumented. Cequence Prime Threat Research released a report in October that found 31% (5 billion) of malicious transactions observed in the first half of 2022 targeted shadow APIs.
How Noname Recon works
Recon was developed to monitor internally built APIs, but it also looks at development tools found online that third parties often use. If a company outsourced its internal API development to a third party, and this has inadvertently exposed some of the inner workings of that internal API on the internet, these instances can be picked by Recon, Leilard says.
“We look at things like certificate history that the companies may have purchased over time and we can correlate domains based on that purchasing,” Leilard sayss as he shares a recent example. “It has come up recently and initially I thought it was an error. I asked our client about it and he goes, ‘Actually, that was a company we divested about 11 months ago,’ but there was still a digital footprint or digital linkage linking them back to the source company.”
Recon simulates an attacker by queueing on certain clues such as domain names, reference to documentation, anything that could be the next breadcrumb in the trail, Cameron Galbraith director of product marketing at Noname, tells CSO. From there it will find associated domains that may not be in the existing inventory, which happens in cases of M&A and divestiture of companies.
“Then it’ll go and look at public resources, public sources of information where developers might be using those tools and those tools might be exposing information depending on the privacy settings of a particular developer’s repository,” Galbraith says. “It’s not so much like there is a set profile for a simulation. It’s more that it’s going to follow the same sort of modus operandi as an attacker.
Other features of Noname Recon API attack simulator
Pre-defined levels of severity of issues encountered permit organizations to focus first on those more critical vulnerabilities. Customers can also provide feedback to create or redefine what may be more or less risky based on the company’s risk tolerance.
Currently, the automatic scanning is done every 24 hours, but Noname says it is likely to be a configurable feature in the future. When an issue is found, there is recommended guidance and resolution, and how to address issues.
Recon can be accessed as a single product or as part of Noname’s API full suite of products, which include posture management, runtime protection, and active testing, which provide both the inside visibility and the correlation between the outside and the inside.