Securing APIs: New Research Highlights APIs as an Extreme Attack Vector

By Alex Passett, Editor  |  May 22, 2023

In many articles my colleagues and I pen, phrases like “In our ever-evolving digital landscape…” get peppered in quite a bit. That said, frequent reuse of a such a phrase doesn’t make it any less accurate; we are living through a major technological boom. Sometimes, it feels like we’re in the midst of “an iPhone (News - Alert) moment” every other year or every four or five years, when a new product or even fully new types of products are released, changing the applicabilities of our digital landscape, forever.

Of course, with significant booms come forces of change, many with incredibly positive intentions and, unfortunately, many with malicious ones. Do-good innovators innovate, and bad actors carry out attacks that do as little as pester us or as much as the sort of harm we see when tech bastions’ security measures are breached.

So with this stage set, let’s specifically talk about breached and broken measures – and security best practices – surrounding Application Programming Interfaces (APIs).

For any unfamiliar, Callum McClelland of Leverage analogized them very well, whether or not you’re a tech-inclined person. (Though, per McClelland, this analogy isn’t perfect; it works for these purposes, though.)

Let’s say you’re at a restaurant (or you’re using a food ordering service at home so you can snag food delivered from a restaurant). When put one-to-one next to the topic of APIs, you (the food-orderer) are a program. The restaurant from which you’re ordering is another program you want to interact with. To receive what you want (i.e. food) from the other program (i.e. the restaurant), you need to make a request (i.e. place a dine-in or a to-go order) in a specific way. If you try to request incorrectly (i.e. you try to order Jimmy John’s from Chipotle), you won’t get what you want.

So, you need the right menu for the right request.

APIs, as McClelland explained, are like menus that define lists of available dishes. When an order is placed for one of those dishes, the restaurant does what’s necessary before sending the dish out. Similarly, APIs define a list of commands and, when a program goes to use one of those commands, the other program does what’s necessary before sending back what was requested (i.e. typically data, in some form).

So, APIs define lists of commands, as well as the necessary formats for said commands. When a company releases an API for its software, it means they’re essentially telling folks “Here’s what you can get from our program, and here’s exactly how you have to ask in order to get it.”

The long-story-short version? APIs make it possible behind the scenes for programs to interact, and they reduce complexities.

With this analogy in place, it’s important to note that APIs enable software systems to communicate, making integrations, exchanges of data and functionalities between apps, websites and services ideally seamless. And while APIs clearly play a pivotal role here, so too does API security.

Last week, Cequence Security (provider of Unified API Protection, or UAP) released info from a report about API protection and jumps in unique threats. The report is based on analyses from approximately one trillion (with a ‘T’) API transactions spanning myriad industries, and its aim is to highlight the latest API threats that plague organizations. It details actual tactics, techniques and procedures (known as TTPs) used by threat actors that target consumer-facing, business-to-business (B2B) and machine-to-machine (M2M) APIs.

Below is a summary of Cequence’s key findings:

  • Shadow APIs – Per Cequence, the second half of 2022 alone saw approximately 45 billion search attempts for shadow APIs; this is an extreme 900% increase from the first half of 2022. (Shadow APIs are tools that threat actors use in order to bypass security measures and gain access to sensitive data, disrupt business operations, etc.) This spike in shadow APIs indicates just how serious the risks are if such interfaces are either left unprotected or are under poor protection.
  • Unique threats – Another extreme increase, this one (550%) was seen in the total number of unique TTPs employed by attackers during this same period that the report covered.
  • One-two combos – Cequence also found that threat actors are now keener on combining both traditional API tactics and web application security tactics. (A 220% surge.) This mixes things up, making it more difficult to thwart attacks.
  • Challenges for telecom – In this industry, brand-new TTPs are seen more than virtually anywhere else; the attack surface for telecom is sprawling, and tactics have been as sophisticated as they’ve been persistent.

“API breaches have plagued numerous high-profile organizations in recent months, elevating the need for CISOs to prioritize API protection,” said Ameya Talwalkar, CEO of Cequence. “Attacks are getting more creative and specific in their diverse tactics, and traditional protections are no longer enough. As attack automation becomes an increasingly prevalent threat against APIs, it's critical that organizations have the tools, knowledge and expertise to defend against them in real- time.”

The API threat landscape is “booming” (as this article began) in ways that organizations cannot long-term afford to sleep on, protection-wise. Vigilance against automated and manual vulnerability exploits is vital, lest ineffective defenses become all-too-walkable stepping stones for attackers to traverse.

Read more from Cequence about API protections (e.g. authentication mechanisms like API keys, encryption techniques like TLS and more) that defend against compromising fraud, logic attacks, exploits and unintended data leakages here.

Edited by Greg Tavarez
Get stories like this delivered straight to your inbox. [Free eNews Subscription]