Full Report
Wiz enhances its Dynamic Scanner to detect publicly exposed, unauthenticated APIs
Analysis Summary
# Tool/Technique: Wiz API Security Capabilities (Dynamic Scanner & Agentless Cloud Risk Assessment)
## Overview
Wiz offers an agentless, contextual approach to API Security focused on discovering, assessing, and validating the external exposure and inherent risks associated with APIs deployed across various cloud environments. Its primary goal is to provide complete visibility, identify shadow APIs, and expose potential attack paths by combining API exposure data with underlying cloud security posture risks (e.g., vulnerabilities, misconfigurations, secrets exposures, and IAM risks).
## Technical Details
- Type: Tool/Frameworks (Security Posture Management/API Security Solution)
- Platform: Major Cloud Providers
- Capabilities: Agentless discovery/inventory of all APIs (managed and unmanaged), dynamic external scanning (validation of exposure and response analysis), risk contextualization (linking API exposure to underlying cloud risks like vulnerabilities, secrets, and lateral movement potential).
- First Seen: Information not explicitly provided in the text.
## MITRE ATT&CK Mapping
*Note: Since this is a security tool designed to *detect* threats, the mappings below are representative of the techniques it is designed to help defenders identify or address, rather than offensive capabilities.*
- [T1552 - Credentials Access] (Relevant if the tool detects exposed secrets via API)
- [T1552.001 - Credentials in Files] (Relevant if secrets are stored accessible via code/config related to the API)
- [T1078 - Valid Accounts] (Relevant when IAM roles/privileges associated with compromised APIs are assessed)
- [T1078.004 - Cloud Accounts]
- [TA0007 - Discovery] (Relevant as the tool maps exposed assets)
- [T1598.003 - Email Collection] / [T1598.005 - Search Open Websites/Domains] (Related to external validation/reconnaissance that the Dynamic Scanner mimics)
## Functionality
### Core Capabilities
- **API Discovery and Inventory:** Continuously performs agentless scanning across cloud assets to discover and inventory all technologies, including both managed and unmanaged APIs exposed to the internet.
- **External Validation (Dynamic Scanner):** Automatically scans APIs from an external attacker's perspective to validate actual exposure, analyze ports/protocols (HTTP, FTP, etc.), and report HTTP status codes.
- **Sensitive Data/Secret Detection:** Analyzes HTTP requests and responses during dynamic scanning to immediately flag instances where secrets or sensitive data are exposed publicly via the API.
### Advanced Features
- **Contextual Risk Assessment:** Integrates API exposure findings with deep cloud risk context—checking the host resource (VM, Lambda, container) for known vulnerabilities, associated secrets, and potential for lateral movement via high-privilege IAM users.
- **Attack Path Visualization:** Utilizes the Wiz Security Graph to show a complete overview of APIs and the associated attack vectors/blast radius if compromised.
- **Automated Alerting and Remediation:** Provides out-of-the-box and custom controls to trigger alerts and remediation workflows when non-compliant or high-risk APIs are detected.
## Indicators of Compromise
*Note: As a defense tool, it identifies indicators left by attackers, but it does not generate standard IoCs unless configured to alert on specific artifacts detected during its scans.*
- File Hashes: N/A (Agentless scanning)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Information regarding scanning traffic initiation points or scanned C2s would be derived from the Dynamic Scanner output, but none are explicitly listed as static IoCs here.
- Behavioral Indicators: Detection of unauthenticated access attempt responses; exposure in HTTP responses signaling sensitive data/secrets leakage.
## Associated Threat Actors
- N/A (This is a commercial security product used by defenders.)
## Detection Methods
- Signature-based detection: Not explicitly described; reliance is on configuration and vulnerability scanning matches.
- Behavioral detection: Dynamic scanning simulates attacker behavior to validate exposure and response characteristics.
- YARA rules if available: N/A
## Mitigation Strategies
- Continuous patching and updating of libraries used by API backends.
- Implementing strong authentication mechanisms (addressing "Broken Authentication").
- Implementing least privilege access controls (IAM hardening) to limit lateral movement upon API compromise.
- Implementing strong configuration management to secure hosting environments (VMs, Lambdas).
- Utilizing the Wiz toolset to continuously discover and assess shadow APIs automatically.
## Related Tools/Techniques
- OWASP API Security Project (Provides the baseline risks being addressed).
- Traditional Web Application Firewalls (WAFs) or API Gateways (Cited as technologies that often result in blind spots, which Wiz aims to solve).
- Other cloud security posture management (CSPM) and agent-based security solutions.