An organization’s web presence is one of its greatest assets when dealing with customers. However, it is also a common target of attack. Websites have access to a great deal of sensitive and valuable information but are exposed to the public Internet, making them easily accessible to attackers.
Defending an organization’s web presence requires the installation of a web application firewall (WAF); however, not any WAF will do. Cybercriminals are increasingly using automated attacks against web application programming interfaces (APIs) to achieve their goals. These attacks have significant impacts on their targets and require WAFs capable of identifying and differentiating malicious bots from benign ones.
Cybercriminals’ Sights Have Shifted to Web APIs
Most organizations, when they think about securing their web presence, focus on securing their web applications. These web applications are the most visible component of an organization’s web presence. Additionally, the majority of customers use these interfaces, making it important to ensure that they are functional, available, and secure against attack.
However, many organizations also support web APIs. These APIs are designed to enable integrations with the web platform or to support automated or “power” users. Unlike a web application, an API is designed to be used by automated programs and for rapid and bulk operations. Additionally, these APIs often include all of the functionality of the human-targeted web application and, potentially, offer functionality that is not available through the traditional user interface.
These features of web APIs make them a prime target for cybercriminals. When targeting a web API, an attacker no longer needs to simulate the actions of a human user that are necessary when interacting with a web page. Instead, the attacker can take advantage of the functions exposed by the API for use in automated queries.
Automated Attacks Make Up Nearly a Quarter of Internet Traffic
According to research by Imperva, malicious bots made up 24% of all Internet traffic observed by the organization in 2019. While bots can be used for benign purposes, these bots are designed to carry out attacks on the behalf of a cybercriminal or business competitor. These malicious bots can have a variety of different impacts upon the target organization.
- API-Focused Credential Stuffing Attacks Threaten Account Security
A credential stuffing attack is designed to take advantage of the average person’s poor password security habits. While the majority of the population is aware of the threat associated with using weak passwords and reusing passwords across multiple applications, a large percentage do so anyway.
Cybercriminals can take advantage of this by applying the user credentials leaked in one data breach to attempts to compromise the users’ other online accounts. Password hashes are commonly exposed in data breaches, allowing an attacker to perform an offline attack to guess the users’ password. Once the attacker has figured out the password, they try it on other sites where the user may have an account in hopes of finding a match.
While credential stuffing attacks can be performed using login portals on web applications, web APIs can make them easier and more efficient to perform. APIs require the same credentials for authentication, are easier for automated scripts to interact with, and can allow an attacker to quickly extract data from an account if they guess a password correctly.
Cybercriminals are aware of these benefits, and at least 20% of credential stuffing attacks are performed against organizations’ web APIs. However, these numbers are often industry specific. In the financial industry closer to three-quarters of credential stuffing attacks target APIs.
- Automated Attacks Waste Resources and Impact Availability
Web APIs are a growing target of cybercriminals because they make automated attacks easy to perform. A web API is designed to interact with automated scripts, meaning that it is designed to maximize efficiency and expects to receive automated requests.
Cybercriminals take advantage of these features to maximize the impact and productivity of their attacks. Since the web APIs can support a high rate of automated requests, malicious bots push them to their limits while performing their attacks.
While this is good for the attacker, it isn’t so great for the organization targeted by the attack. The targeted servers waste computational resources and network bandwidth responding to these malicious requests. This heavy use of processing power and network bandwidth comes at the cost of the target that operates the impacted servers and must perform the computationally intensive operations required to test potential login credentials on the attacker’s behalf.
Implementing Robust Web API Security
As automated attacks become more common, web APIs will continue to grow as a target of cybercriminals. Protecting the sensitive data of the organization and its customers against exposure and ensuring the availability of online services to legitimate customers requires the ability to identify and block these attacks.
One of the major challenges associated with addressing the threat of automated attacks is differentiating malicious bots from benign ones (such as Google’s indexing bots) and legitimate users. Bot developers have made their programs increasingly realistic in order to eliminate indicators that make them easy to identify. As attacks by bots become more common and bots become more sophisticated, organizations will require WAFs capable of identifying and blocking these automated attacks with an extremely high degree of accuracy. Selecting a WAF vendor with a track record of researching the bot threat landscape and integrating malicious bot detection into its products is the most effective way to guarantee that it can keep up with the evolution of automated cybersecurity threats.
