Defining API Attacks
In today’s age of explosive technological change, application programming interfaces (APIs) are the go-to connectors and building blocks for innovative services and customer offerings. Widely used among organisations big and small, APIs create opportunities for businesses to implement modern digital initiatives, allowing consumers to interact with a product or for various applications to communicate. The possibilities are endless.
Unfortunately, as APIs become more and more common, so do API attacks. Salt Security defines an API attack as, “the hostile usage of an API using API endpoints to access and exploit data, taking advantage of code flaws or business logic vulnerabilities to force behaviour that wasn’t intended during the API development process.”
Furthermore, according to the Salt Security State of API Security Report Q1 2023, 94% of survey respondents had experienced API security-related issues in the past year, with 17% reporting an API-related breach in the same period. What’s more, there has been a 400% increase in unique API attackers within a six-month period alone - indicating a clear trend that APIs have become an attractive target for the bad guys.
Why is this the case?
If we think of APIs as highways connecting a business's critical data and services, it starts to become more apparent why APIs represent a new frontier in the hacker’s playbook. Take some recent, high-profile API attacks in the news, such as Australia’s second- largest telecommunications company, Optus, and major brands such as T-Mobile, Peloton, Experian and John Deere, to name just a few. Attacks like these are reputation-damaging, resulting in the exposure of troves of critical data and information. Big brands will pay big bucks to avoid this and threat actors know this.
However, it’s not only high-profile companies that are at risk from API attacks. Threat actors can (and will) take advantage of any organisation using APIs for their business operations to try and hunt out flaws in the business logic used to create them or unsecured databases that may power them.
APIs have become a priority target, more than ever before
With the explosion in API usage in recent years, it’s easy to see not only how malicious actors have millions of potential targets, all likely containing critical data and services, but also how the potential for unintentional insecurities grows exponentially. As a result, most organisations are grappling with the significant problem of API sprawl.
With multiple development teams designing and using multiple APIs at any one time, APIs proliferate at an astonishing rate. The resulting API sprawl can make it difficult to understand how many APIs are in use within the organisation and what data they carry. In addition, most organisations lack strong API governance, contributing further to the problem. Moreover, if an organisation uses open-source or third-party code to create their APIs, the risk potentially rises. API sprawl in a single organisation can amount to hundreds of unsecured attack points, including shadow and zombie APIs, out-of-date APIs that companies have lost track of and/or assume have been disabled.
API attack methods are changing
While API attacks are increasing exponentially, they are also changing. Threat actors are finding new and improved hacking methods.
Traditional security attacks are typically transaction-based (such as through SQL injections) and through tried-and-true social engineering attacks. However, because each API is unique with its own business logic, API attacks differ from the previous ‘one and done’ style of attack. API attacks aim to take advantage of an application’s business logic flaws and the ungoverned API sprawl in the organisation.
One way threat actors gain access is through reconnaissance methods. In these attacks, slow and steady wins the race. Hackers spend weeks or even months poking and prodding at APIs, hoping to find a flaw or a gap in authentication or authorisation. Because every API is different, each attack must be different. Given enough time, hackers will find a business logic flaw and they will exploit it, resulting in a potential security breach for the affected parties.
The Open Web Application Security Project (OWASP), which aims to improve the API security industry’s wider understanding and knowledge, released the 2023 edition of the OWASP API Security Top 10 list in June. According to OWASP, the most common API threats and vulnerabilities stem from::
- Broken Object Level Authorisation (BOLA)
- Broken Authentication
- Broken Object Property Level Authorisation
- Unrestricted Resource Consumption
- Broken Function Level Authorisation (BFLA)
- Unrestricted Access to Sensitive Business Flows
- Server-Side Request Forgery
- Security Misconfiguration
- Improper Inventory Management
- Unsafe Consumption of APIs
Fortunately, according to the State of the CISO 2023, 95% of CISOs worldwide have officially made API security a planned priority within the next two years - and the OWASP list is a great place to start to recognise the different types of attacks.
In addition, there are some ways organisations can shift to a more API-centric security strategy:
Know your APIs. APIs require dedicated solutions in the complex landscape that makes up cybersecurity. Traditional, rule-based security methods will not cut it. To secure APIs, organisations must have complete visibility and governance over their API sprawl. Every endpoint must be accounted for and continuous discovery of zombie and/or shadow APIs is a necessity.
Use dedicated API security tooling. While very difficult to accomplish manually, this can be done with artificial intelligence (AI) and machine learning (ML). Organisations can use technologies that incorporate AI and ML to continually and automatically scan for APIs in their environments and to gain a complete understanding of the risks they face as a result.
Protect APIs across build, deploy and runtime.
In addition, organisations must implement a solution that can recognise security gaps across the entire API lifecycle. A purpose-built API solution must have the intelligence to spot API threats in runtime. It’s critical to protect the APIs that already exist in an organisation’s environment. At the same time, an API solution should also be able to feed back insights regarding vulnerabilities and flaws, so that development teams can harden future APIs.
The future of API security
Just as it’s always done, the cybersecurity landscape is changing rapidly. It is up to organisations to keep up with trends, the expanding attack surface and the processes and technologies that will help them to defend themselves. By leveraging AI and machine learning and by prioritising API governance and documentation, organisations can better understand the risks stemming from APIs and make the necessary adjustments to their security programmes for optimal protection.