Bot Attacks Exploit API Weaknesses, Costing Billions

By Greg Tavarez, TMCnet Editor  |  September 23, 2024

APIs serve as the connective tissue between various applications and services within an enterprise. They facilitate data exchange for better communication and collaboration. And, as businesses strive to deliver digital experiences promptly and effectively, the reliance on APIs has increased. According to Imperva Threat Research, the average enterprise managed 613 API endpoints in production last year.

There is an issue, however.

The growing importance of APIs has made them prime targets for malicious actors, particularly bot operators. These automated threats exploit vulnerabilities in APIs to steal sensitive data, disrupt services or launch other attacks.

In fact, according to the “Economic Impact of API and Bot Attacks” report by Imperva (released by Thales (News - Alert)), more than 161,000 unique cybersecurity incidents uncover the rising global costs of vulnerable or insecure APIs and automated abuse by bots. The report estimates that API insecurity and bot attacks result in up to $186 billion of losses for businesses around the world.

“It’s imperative that businesses across the world address the security risks posed by insecure APIs and bot attacks, or they face a substantial economic burden,” said Nanhi Singh, General Manager of Application Security (News - Alert) at Imperva, a Thales company.

The availability of off-the-shelf attack tools are easily acquired and customized to target specific APIs. These tools often incorporate advanced evasion techniques, such as rotating IP addresses, using CAPTCHA-solving services and employing traffic obfuscation methods. This makes it increasingly difficult for security teams to detect and mitigate bot attacks.

Then there are generative AI models, which have played an important role in enhancing bot evasion capabilities. These models are used to generate realistic synthetic data, which makes it harder to distinguish between legitimate and malicious traffic. Additionally, AI-powered bots learn from their interactions with API endpoints. They adapt their behavior to evade detection and bypass security measures.

“Reliance on APIs will continue to grow exponentially, driving connections to generative AI applications and large language models,” Singh said. “At the same time, generative AI will also empower cybercriminals to create sophisticated bots at an accelerated and alarming rate. As API ecosystems expand and bots become more advanced, organizations should anticipate a significant rise in the economic impact of automated API abuse by bots unless proactive measures are taken.”

Companies with revenue of at least $100 billion are most likely to suffer security incidents related to insecure APIs or bot attacks. These threats constitute up to 26% of all security incidents experienced by such businesses.

So, what can be done?

Well, Imperva helps organizations protect critical applications, APIs and data anywhere, at scale and with the highest ROI. The Imperva Application Security Platform stops advanced attacks with high efficacy while minimizing false positives. Its high efficiency enables organizations to quickly onboard, protecting their assets at scale.

“The interconnected nature of these threats necessitates that companies take a holistic approach, integrating comprehensive security strategies for both bot and API attacks,” Singh added.

Organizations are challenged to protect their APIs. As these threats continue to evolve, it is imperative for businesses to adopt proactive security measures and stay informed about the latest trends in bot attacks.




Edited by Alex Passett
Get stories like this delivered straight to your inbox. [Free eNews Subscription]