IR-012networkv1.0.0

API Abuse and Credential Stuffing Attack Response

⚠️ medium⚠️ high⚠️ critical
Est. Time45m
📋 Steps10 steps
🔧 Tools6 required
🔗 Integrations5 platforms
📊 Avg Resolution60m
★ View on GitHub

🎯 MITRE ATT&CK

🔧 Tools Required

api gatewaywafsiemthreat intelligence platformidentity providerrate limiting platform

⚡ Triggers

api_gateway_rate_limit_breachwaf_credential_stuffing_alertsiem_4xx_spikesiem_impossible_travel_api_tokensiem_geographic_anomaly_apibot_protection_alertaccount_lockout_spike

🔌 Integrations

opt

aws api gateway

Usage plans, throttling, and API key management

opt

cloudflare

WAF rules, bot management, and IP reputation blocking

opt

okta

Identity threat protection and session management for API token issuance

opt

splunk

API access log ingestion and 4xx rate anomaly detection

opt

datadog

APM trace analysis for credential stuffing pattern detection

Click each step to expand the full procedure, automation hints, and expected outputs.

Review the triggering alert and confirm the attack type. Credential stuffing presents as a high volume of authentication attempts using valid-format credentials from distributed IPs with low success rates (~0.1-2%). API abuse may show as rate limit breaches, unusual endpoint targeting, or token enumeration. Identify exactly which API endpoints are under attack, the attack start time, source IPs/ASNs, and the volume. Determine if the attack is still in progress.

⚡ Automation Hint

AWS API Gateway: aws apigateway get-usage --usage-plan-id <plan> --start-date <date> --end-date <date> Cloudflare: GET https://api.cloudflare.com/client/v4/zones/<zone>/security/events SIEM (Splunk): index=api_logs status>=400 status<500 | timechart count by uri | where count > threshold — identify top targeted endpoints

📤 Outputs

targeted_endpointsattack_start_timesource_ip_rangesattack_still_active