Application security

The way to stop API breaches: reevaluate the company’s cybersecurity stack


T-Mobile disclosed a new data breach this month after a threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts through one of its application programming interfaces (APIs).

This latest API security incident follows other cases in which 9.8 million customer records were affected at Optus and 5.4 million user records exposed on Twitter. When API security breaches occur at this magnitude, often the discussion revolves around which API vulnerabilities or tokens were compromised. However, we rarely discuss the role that automation plays to enable and execute these attacks.

API use has increased exponentially, transforming the way online applications are built. These APIs have evolved from being the integrator of systems into the primary method of connecting and sharing the world’s applications. Unfortunately, as Gartner predicted, APIs have become the leading vector for attack. APIs are either public or private. Public APIs let consumers connect with a company’s services like Google Maps, while private APIs are used by the organization that created them to integrate specific data and application functions or share information with trusted partners. Because of this, private APIs have become prime targets for attackers.

API security breaches: where are we going wrong?

There are a few reasons APIs have become the leading vector to attack:

First, the development of APIs has exploded over the last few years because of the expanding market for cloud services, microservices, and mobile apps. Companies are constantly developing APIs at a pace that’s almost impossible to keep up with – and even harder to secure. Second, many organizations don’t even know how many APIs they have. According to a recent survey of 600 cybersecurity professionals, 74% admitted to not having a complete API inventory or knowledge of APIs that contain sensitive data.

Finally, many companies don’t realize the major role that malicious automation or bot attacks play in the abuse of APIs. Attackers use bots to exploit API vulnerabilities to gain access to user accounts and extract information from them at scale.

Using bots to “get in” and access user accounts

Cybercriminals use malicious bots to systematically perform credential stuffing to abuse account logins. Bots can move fast. With the combination of hundreds of thousands of proxy IP addresses and stolen credentials, attackers can quickly get an API mapped, identify a vulnerable target, and automate against the login to gain access.

Using Bots to “get out” and extract data

Bots are also used by attackers to extract data from accounts. They can do it quickly and at scale, so that extracted information can lead to a profit. For example, in the T-Mobile breach, attackers stole data from 37 million accounts before getting noticed. Leveraging automation was possibly one of the only ways the extraction of millions of records like this could have occurred.

There are many elements necessary to protect APIs. Taking away the ability to automate against a vulnerable API is a huge step forward in terms of the attacks and damage that can be done. It shows how essential modern bot defense has become for securing APIs alongside other tools.

Reevaluate the company’s cybersecurity stack

Many companies mistakenly believe their existing API security stack, which may include WAFs and API gateways, can fully protect their APIs. And while these tools may  succeed in preventing some attacks, they are often inadequate in preventing API breaches since they were developed for other purposes that don’t stop malicious automation.

In Forrester’s recent report Planning Guide 2023: Security and Risk, they advise CISOs  to reevaluate their current cybersecurity stack. As threat actors continuously evolve their attack methods, it's important for companies to likewise evolve their defenses. At the same time, it's paramount to eliminate the tools that no longer perform. API security and bot management are two of the top technologies that Forrester advises CISOs to focus on as they set their priorities for 2023.

It’s imperative to ensure that the company’s bot defenses are proactive and dynamic. While the industry often hails machine learning as the panacea for API security protection, threat actors have become exceptionally proficient at tricking models with fake data to bypass API security protections. To effectively stop API attacks, companies need to understand the shortcomings of the products they’ve deployed and employ defense-in-response.

We don’t just protect APIs with API security, it’s more about discovering, detecting, and defending against threats across all of the organization’s business logic. For this reason, it’s absolutely critical to reevaluate the entire cybersecurity stack, prioritizing a holistic security approach that includes stopping malicious bots. 

Sam Crowther, founder and CEO, Kasada

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.