Researchers at Cequence Security today published new information about a recent surge in API attacks, a major source of vulnerability that Cequence believes businesses aren’t sufficiently protecting against. “Tales from the Front Line” offers an insider’s analysis of one customer’s data (anonymized) from specific API attacks over the last four weeks. CQ Prime researchers found:
- up to an 85% week over week increase in malicious traffic since the pandemic lockdown
- the Android Login API is a significant target
- attackers continuously vary the attack fingerprint to gain success – one campaign showed almost 1.5 million IP addresses using over 4 million different user agents
- attackers often find unsecured API endpoints through enumeration
- in some cases, malicious bots generate up to 80-90% of all traffic – requiring expensive operational build-out
The API as an attack vector is common because of the rich rewards which can be reaped from a successful breach, or the damage to the business from bots overwhelming the service and causing a Denial of Service for valid customers. These attacks will continue to escalate, so developers need to look at how to limit the value for anyone gaining access. If they are unable to steal useful information (data or code), the API becomes less attractive as a target.
There are different ways to lock-down an API, but in many cases it is enough to ensure that it uses HTTPS for communication so that network traffic cannot easily be sniffed. Combine with additional authentication for access – perhaps using certificates for sensitive data – and the API now has protection in place.
Secure communication is not a perfect method as it will not prevent access from a stolen credential set. Still, it does prevent bots (or meddling researchers, sometimes!) from sniffing the internet to find out what’s exposed. To further strengthen security, the company controlling the API must ensure that they are not sharing information considered as sensitive when viewed publicly.
\”Legitimate traffic represents revenue, and operations teams want to make sure their revenue- generating traffic is prioritized and able to flow. From an operational perspective, then, organizations have to take on the greater load from their attackers, or their applications are going to start to perform poorly. How can you ensure that these expensive infrastructure investments are paying off? As malicious bot traffic keeps increasing, AI will be key in helping mitigate against these attacks.