APIs have emerged as a dominant force in web traffic, surpassing traditional web traffic and posing new cybersecurity challenges for businesses.
Description
Business logic attacks [2] [3] [4], accounting for 27% of attacks in 2023, and Account Takeover (ATO) attacks [1] [2] [3] [4] [5] [6], rising to 46% in the same year, are on the rise [2] [3] [5], constituting a significant percentage of API attacks. These attacks, such as credential stuffing, fake account creation [4], and data scraping [4], can lead to financial losses and compromised data security [4]. Detecting API business logic abuse is difficult as attackers often mimic legitimate API usage [4]. A surge in ATO API attacks targeting API endpoints has been observed, highlighting the importance for organizations to have visibility into their API ecosystems [2]. Many organizations are unaware of their APIs, with an average of 29 shadow APIs per enterprise account [4]. Securing APIs requires a comprehensive strategy that includes discovering all APIs in the ecosystem, including undocumented and shadow APIs [4], and implementing advanced security solutions like Imperva Advanced Bot Protection [2] [6]. The report also underscores the increasing threat landscape due to the rise in API-targeted attacks [2] [3], with APIs accounting for over 71% of web traffic last year [1] [2] [3]. The average number of API calls to enterprise sites is 1.5 Billion [1] [2] [5], leading to a rise in automated attacks on APIs. 46% of all ATO attacks targeted API endpoints [1] [2], with 28% of DDoS attacks on APIs targeting financial services organizations [1] [2]. Organizations must have visibility into their API ecosystems to identify potential risks such as deprecated endpoints and Broken Object Level Authorization (BOLA) [2] [6]. Traditional security tools struggle to detect and mitigate API abuse [2] [5], emphasizing the importance of advanced security solutions like Imperva Advanced Bot Protection and API risk assessment tools [2]. A comprehensive API Security strategy combining Web Application Firewall (WAF) and API Discovery with Advanced Bot Protection [2] [6], risk assessment [1] [2] [3], anomaly detection [1], and mitigation is crucial for ensuring robust protection of APIs [2].
Conclusion
The increasing prevalence of API attacks poses significant risks to businesses, necessitating the implementation of advanced security solutions and comprehensive API security strategies. Organizations must prioritize visibility into their API ecosystems and proactively address potential risks to safeguard against financial losses and data breaches in the evolving cybersecurity landscape.
References
[1] https://msp-channel.com/blog/57843/rise-in-api-attacks-in-2023
[2] https://securityboulevard.com/2024/02/latest-research-reveals-rise-in-api-attacks-in-2023-putting-businesses-at-risk-in-2024/
[3] https://vulners.com/impervablog/IMPERVABLOG:EC0BF8FE9E436192BEB8CDC83505A568
[4] https://www.infosecurity-magazine.com/news/business-logic-abuse-api-attacks/
[5] https://betanews.com/2024/02/26/api-attacks-put-businesses-at-risk/
[6] https://www.imperva.com/blog/state-of-api-security-in-2024/
