API Attack Prevention: Preparing for Cybercriminals’ New Account Takeover Target

Published July 25, 2023

In a constantly changing threat landscape, cybercriminals are turning to APIs as their new favorite weapon to conduct account takeover (ATO) fraud because they provide direct access to valuable resources and functionality. API threats have become such an issue that OWASP just released their new 2023 Top 10 API Security Risks list to help draw attention to the areas organizations need to address.

Criminals have pivoted their ATO tactics to target APIs using malicious bots to conduct attacks ranging from credential stuffing and business logic abuse to DDoS attacks, all of which often result in application downtime, identity theft, and fraud. These attacks are easier than ever to orchestrate with readily available tools and are hard to detect with legacy bot defense techniques.

According to estimates from F5’s Office of the CTO, the number of APIs in production will increase exponentially over the next few years. By 2030 there could be anywhere from 500 million to more than 1.5 billion APIs in production. Unfortunately, this is great news for cybercriminals who continuously look to expand their targets.

API Sprawl Results in Many Blind Spots that Can Lead to Vulnerability

  • Open-by-design and predictable structure creates many open doors to easily probe.
    Developers tend to build flexible APIs with predictable structures adhering to logical architectures (such as REST), which makes it easy for criminals to probe for additional data that may have been exposed.

  • Reduced cross-organizational visibility makes it difficult to observe API activity—especially if you don’t know the API even exists.
    APIs are often published before SecOps teams know about them, creating a shadow or zombie API ecosystem and lack of end-to-end visibility into API traffic.

  • Increased complexity creates unmanaged and unsecured APIs, resulting in a larger attack surface.
    Distributed environments and proliferation of services make it challenging to consistently discover, manage, and monitor all APIs, which leads to an increased number of threats and elevated vulnerability to security and privacy incidents.

Existing Security Controls May Not Protect APIs against ATO Attacks

Modern malicious bot attacks continue to evolve, causing legacy bot prevention tools to fail in sustaining their efficacy. This issue will likely get worse with regard to APIs since bot attacks are used to target APIs in a variety of new and different ways ranging from automating exploration scans to manipulating resources and business logic vulnerabilities to conducting credential stuffing and injection attacks.

API credential stuffing attacks are a great example of why traditional bot mitigation strategies leave you exposed. Some APIs provide authentication tokens after a username and password are submitted, similar to logging into a website. This token is typically used for all other requests made to the API. It’s a pattern common in APIs, especially older APIs, and it’s vulnerable to credential stuffing and password spraying attacks.

Differentiating between attackers and real customers is difficult because these types of targeted efforts bypass most traditional controls. Traditional security controls, such as basic web app firewalls (WAFs) and security information and event management (SIEM) systems, are not sufficient to identify and prevent bot attacks on APIs, in part because of the high amount of machine-to-machine, or API-to-API, traffic. Attacks can appear like normal app behavior on the surface, but behind the scenes APIs can be exploited and abused, allowing attackers to elude detection until it’s too late.

A Successful API Security Strategy to Protect against ATO Attacks Requires Vigilance across Multiple Fronts

API security is a shared responsibility across the organization, heightening the need to be concerned with bot-driven attacks that lead to compromise and data breach, as well as those that impact uptime and reliability, for both legacy web apps and modern API fabrics.

When it comes to API security and protecting against unauthorized access via APIs, either through credential stuffing, brute force, or other forceful login attempt mechanisms, a sophisticated AI/ML engine can help by identifying failed login attempt activity or attempts to discover API parameters, and flagging those attempts for operations teams to review.

There are several ways that organizations should shore up their API security, including validating connections and access, monitoring and alerting on behavior over time, and helping to identify unusual client behavior to pinpoint potential areas of compromise.

  • Continuously monitor and protect API endpoints to identify changing app integrations, detect vulnerable components, and mitigate attacks through third-party integrations.
  • Implement a positive security model that integrates with your CI/CD pipeline and supports OpenAPI and Swagger interface specifications to easily validate schema, enforce protocol compliance, automatically baseline normal traffic patterns, and detect anomalous behavior.
  • Embrace zero trust and risk-based security by embracing least-privileged access principles, inspecting payloads, preventing unauthorized data exposure, and implementing access control and risk-based authentication for objects and functions. This should include collecting intelligence and building a baseline for the normal behavior of bots with respect to your APIs. By leveraging behavioral and pattern analysis, workflow validation, and fingerprinting, you can differentiate between human, good bot, and bad bot activity.
  • React to a changing application lifecycle by preventing security misconfiguration across heterogeneous environments, mitigating abuse that can lead to compromise and denial of service, and remediating threats consistently across clouds and architectures. Keep scanning, testing, and monitoring your APIs for misconfigurations, vulnerabilities, and business logic flaws.

You should explore having a centralized view of your API security posture to allow your organization to move quickly, identify potential issues within your API environment, drill down, investigate, and act as appropriate to neutralize any anomalies or threats that could impact connectivity, availability, or app and API security.

Learn more about how you can prevent account takeover attacks.