>_AYSOLI SECURITY HUB
THREAT AREA

B2B REST API

REST APIs are the backbone of modern B2B communication. Since they are often directly accessible over the internet, they are a primary focus for automated attacks and complex business logic exploits.

Your Strategy

Use mTLS for unbreakable partner authentication. Enforce strict schema validation for every request to block unpredictable payloads. Always keep track of all endpoints with a gapless API inventory.

Best Practices

  • Zero Trust: Every API request must be authenticated, authorized, and encrypted.
  • Monitoring: Log all API interactions and integrate them into your SIEM.
  • Protection: Implement egress filters on the API server to neutralize SSRF attacks.

STRIDE-LM Design Risks

SpoofingS-API-01

Identity Spoofing (API)

Attacker impersonates a legitimate partner service.

TamperingT-API-01

API Parameter Tampering

Manipulation of request parameters to bypass business logic.

RepudiationR-API-01

API Log Manipulation

Concealing malicious API activities.

Information DisclosureI-API-01

Excessive Data Exposure

API returns more data than necessary for the client.

Denial of ServiceD-API-01

Insecure Resource Consumption

Overloading the API due to missing rate limits (DoS).

Lateral MovementL-API-01

Cloud-Pivot via API

Using the API server identity to access internal cloud resources.

Monitoring GapsM-API-01

Hidden API Abuse

Abuse of undocumented or "shadow" APIs.

MITRE ATT&CK® Techniques

Reconnaissance
T1592

Gather Victim Digital Network Information

ATT&CK

Collecting information about the target infrastructure.

Mitigated by
API Documentation & InventoryBaseline ProtectionMedium
CIS: 1.1OWASP: API9
API Security Audit (Logging)Extended ProtectionMedium
CIS: 8.5NIST: PR.PT-1
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02
Initial Access
T1190

Exploit Public-Facing Application

ATT&CK

Exploiting vulnerabilities in internet-facing services.

Mitigated by
Mutual TLS (mTLS)Extended ProtectionHigh
CIS: 6.3NIST: PR.DS-2
Strict Schema ValidationBaseline ProtectionMedium
CIS: 16.11OWASP: API6
Strict Transport Security (TLS 1.3)Baseline ProtectionLow
CIS: 6.3OWASP: A02:2021
API Security Audit (Logging)Extended ProtectionMedium
CIS: 8.5NIST: PR.PT-1
B2B IP AllowlistingBaseline ProtectionLow
CIS: 12.10NIST: PR.AC-3
Persistence
T1098

Account Manipulation

ATT&CK

Changing permissions or creating new accounts.

Mitigated by
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Credential Access
T1557

Adversary-in-the-Middle

ATT&CK

Intercepting communication between two parties.

Mitigated by
JWT Signature VerificationBaseline ProtectionMedium
NIST: PR.AC-1OWASP: API2
Mutual TLS (mTLS)Extended ProtectionHigh
CIS: 6.3NIST: PR.DS-2
Strict Transport Security (TLS 1.3)Baseline ProtectionLow
CIS: 6.3OWASP: A02:2021
T1110

Brute Force

ATT&CK

Attempts to gain access to accounts or API keys through systematic trial and error.

Mitigated by
Rate Limiting & ThrottlingBaseline ProtectionLow
CIS: 12.1OWASP: API4
API Security Audit (Logging)Extended ProtectionMedium
CIS: 8.5NIST: PR.PT-1
B2B IP AllowlistingBaseline ProtectionLow
CIS: 12.10NIST: PR.AC-3
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
JWT Signature VerificationBaseline ProtectionMedium
NIST: PR.AC-1OWASP: API2
Strict Transport Security (TLS 1.3)Baseline ProtectionLow
CIS: 6.3OWASP: A02:2021
T1552

Credentials from Password Stores

ATT&CK

Extracting passwords from web browsers or password managers.

Mitigated by
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02
Centralized Secrets VaultingExtended ProtectionMedium
CIS: 6.12NIST: PR.DS-1
T1528

Steal Application Access Token

ATT&CK

Theft of tokens to bypass authentication.

Mitigated by
Centralized Secrets VaultingExtended ProtectionMedium
CIS: 6.12NIST: PR.DS-1
Command & Control
T1071-001

Application Layer Protocol

ATT&CK

Misuse of legitimate web protocols (HTTP/S) for C2 communication.

Mitigated by
Egress Filtering (SSRF Protection)Extended ProtectionMedium
CIS: 12.2OWASP: A10:2021
Exfiltration
T1020

Automated Exfiltration

ATT&CK

Automated exfiltration of data via interfaces.

Mitigated by
Rate Limiting & ThrottlingBaseline ProtectionLow
CIS: 12.1OWASP: API4
API Security Audit (Logging)Extended ProtectionMedium
CIS: 8.5NIST: PR.PT-1
Data Processing Agreement (DPA)GrundschutzNiedrig
CIS: 17.3NIST: GV.SC-7
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02
T1567

Exfiltration Over Web Service

ATT&CK

Data leakage via legitimate web interfaces.

Mitigated by
Egress Filtering (SSRF Protection)Extended ProtectionMedium
CIS: 12.2OWASP: A10:2021
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Impact
T1499

Endpoint Denial of Service

ATT&CK

Targeted overloading of API endpoints.

Mitigated by
Rate Limiting & ThrottlingBaseline ProtectionLow
CIS: 12.1OWASP: API4

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation
B2B REST API | IT Security Checklist for SMEs · AYSOLI Security Hub