Cequence Security released its first half
2022 report titled, "
API Protection Report: Shadow APIs and API Abuse Explode." Chief among the findings was approximately 5 billion
(31%) malicious transactions targeted unknown, unmanaged and unprotected APIs,
commonly referred to as shadow APIs, making this the top threat challenging the
industry.
"The
reality is the everyday luxuries we enjoy as consumers like ridesharing and
food delivery services are built on APIs," said Ameya Talwalkar, CEO and
founder, Cequence Security. "Our research found that the innovative ways
companies can improve customer experiences are also the biggest threat to their
security, customer trust and ultimately, their bottom line. These companies
must rethink what is prioritized in their security strategy, starting with API
protection."
Developed
by the CQ Prime Threat Research team, the report is based on an analysis of
more than 20 billion API transactions observed over the first half of 2022
and seeks to highlight the top API threats plaguing organizations today.
Top Threat #1: Shadow APIs Hit with 5
Billion Malicious Requests
Roughly
5 billion (31%) of the 16.7 billion malicious requests observed targeted
unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs,
spanned a wide range of use cases. From the highly volumetric sneaker bots
attempting to grab the latest Dunks or Air Jordans to stealthy attackers
attempting a slow trickle of card testing fraud on stolen credit cards to pure
brute force credential stuffing campaigns. Driven by high-volume content
scraping as a precursor to shopping bot and gift card attacks, attacks on
shadow APIs surged in April 2022 and have continued to rise in volume
throughout the year.
Top Threat #2: API Abuse
Based
on 3.6 billion attacks blocked by the CQ Prime Threat Research team, the second
largest API security threat mitigated during the first half of 2022 was API
abuse, meaning attackers targeting properly coded and inventoried APIs. This
finding highlights the need to use industry-standard lists like OWASP as a
starting point, not an end goal. The most commonly blocked attacks are
indicative of the strategies attackers are using. These included:
-
3 billion shopping bots targeting sneakers or luxury
goods
-
290 million gift card checking attacks
-
The attempted creation of approximately 237 million fake
accounts on popular dating and shopping applications
Top Threat #3: The Unholy Trinity:
Credential Stuffing, Shadow APIs & Sensitive Data Exposure
Based
on 100 million attacks, the combined use of API2 (Broken User Authentication),
API3 (Excessive Data Exposure) and API9 (Improper Assets management) signifies
two things: attackers are performing detailed analysis of how each API works,
how they interact with each other, and the expected outcome and developers need
to stay ever vigilant in following API coding best practices.
Account Takeover Mitigation Saves
$193 Million
Highlighting
the continued popularity of account takeovers (ATO), the CQ Prime Threat
Research team helped customers mitigate roughly 1.17 billion malicious account
login requests - all against APIs. The popularity of ATOs can be tied directly
to their versatility, which has been amplified by the adoption of APIs for
account logins and is shown throughout this report. More importantly, the
impact of an ATO on the business is significant, with each incident varying in
cost from $290 (Juniper Research)
and roughly 9 hours of investigative work to $311 (Federal Trade Commission).
The mitigation efforts protected roughly 11.7 million accounts which equate to
a savings of $193 million across all customers.
"Our
analysis and findings are based on real attacks in the wild," said William
Glazier, Director of Threat Research at Cequence Security. "Our findings
underscore the importance of IT and security leaders having a complete understanding
of how correctly coded APIs, as well as those with errors, can be attacked. The
sample size of 20 billion alone means there is a high likelihood that
enterprises across industries are impacted by these types of threats."
The
report highlights the importance of understanding the tactics, techniques, and
procedures (TTPs) attackers use to exploit risks and how attackers will react
to resistance. This means not only making sure that APIs are not susceptible to
the OWASP API Security Top 10 as a starting point but also looking at what can
be defined as API10+, a category that encompasses the many different ways that
a perfectly coded API might be abused.
Download the full findings of the report.