Back to Blogs

Reminders of Recommended Practices for Securing API Access

Posted on January 29, 2024

---

Overview

Credential theft is a common technique used by threat actors to gain access and persistence. User credentials are often the main target for these activities. However in recent years, the security industry has seen an increase in theft of cloud access credentials such as AWS access keys. Access via APIs is a powerful way to integrate Carbon Black Cloud into your ecosystem. That access should be managed and reviewed periodically, as you would user access. Here are some tips to improve the security posture around Carbon Black Cloud API Keys.

Tips

• When you create a new API key, store the API Secret securely as you would a password.
  • After the initial creation, the API Secret can be regenerated, but not recovered.
  • Read more on Carbon Black Cloud Community.
    
    
• Limit access to the minimum required by the API Key by creating an Access Level with only the permissions needed and assigning that Access Level to an API Key with an Access Level of type Custom.
  • Read more in the Carbon Black Cloud User Guide.
    
    
• Restrict access to specific IP Addresses.
  • If an integration will always be running from a specific server, why allow access with that API Key from anywhere else?
    
• Monitor Access via API Keys as you would user access
  • Review the audit log:
    
    
  • Review the last time the API key was used
    • Go to Settings > API Access and check the Session Renewal Time. This will show the last time the API Key refreshed its session.
  • Look for anomalies
    • If an API Key is being used to poll every 5 minutes, expect to see an Audit Log each time the authentication session is renewed (approximately 15 minute intervals). This can make it difficult to see anomalies in the usage. Use a query in the Audit Log Search bar to remove expected Audit records. This example removes any entry for session renewal & alerts API usage. What’s left are actions you might not expect the key to be doing, and actions being done to that key.
      • A1B2C4D4 -"logged in successfully" -"Getting alert" -"Getting threat"
      • That query translates to “Find all the audit log records that include A1B2C4D4 and do not include any of logged in successfully, Getting alert or Getting threat”.
        
        
• Remove access when it is no longer needed
  • Regenerate the API key and store it securely - this will prevent access using the previous secret while allowing full visibility into the access the API Key has if needed. If the API Key is needed, provide the new API Secret.
  • Delete the API key when you’re sure it’s not needed.
    
    
• Consider rotating keys on a regular basis. This brings the benefit that if the key has been compromised and the threat actor is holding on to it, you’ve eliminated their means to access.
  • To regenerate an API Secret Key, go to Settings > API Access and find the API Key that you want to create a new secret for.
  • Click the Actions menu and select API Credentials.
  • Click Generate new API Secret Key and confirm.
  • Record the new API Secret Key securely and update integrations as needed.
  • The previous API Secret Key becomes invalid immediately.
    
    
  • See the Carbon Black Cloud User Guide for details

Requirements

• Carbon Black Cloud
• The User requires a role that has:
  • Manage Access Levels
  • Manage API Keys
  • View API Keys

More Information

• Authentication Guide on the Developer Network
• Setting up API Access in the User Guide
• Integrations and Toolkits to integrate with Carbon Black Cloud

Have questions or feedback?

• Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community
• Report bugs and change requests to Carbon Black Support

• Subscribe to the Developer Network Newsletter