T-Mobile disclosed a new data breach this month after a threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts via one of its application programming interfaces (APIs).
This latest API security incident follows other cases where 9.8 million customer records were affected on Optus and 5.4 million user records were exposed on Twitter. API security breaches of this magnitude often lead to arguments about which API vulnerability or token was compromised. However, we rarely discuss the role automation plays in enabling and carrying out these attacks.
API usage is growing exponentially and changing the way online applications are built. These APIs have evolved from system integrators to the primary way to connect and share applications around the world. Unfortunately, as predicted by Gartner, APIs have become a major vector of attack. APIs are either public or private. Public APIs allow consumers to connect to the company’s services, such as her Google Maps. Private APIs, on the other hand, are used by the organizations that created them to integrate specific data and application functionality or to share information with trusted partners. This makes private APIs a prime target for attackers.
API Security Compromise: Where Did We Go Wrong?
There are several reasons why APIs have become a major attack vector.
First, API development has exploded in the last few years as the market for cloud services, microservices, and mobile apps expands. Companies are developing APIs all the time, making it nearly impossible to keep up and even harder to secure. Second, many organizations don’t even know how many APIs they have. According to a recent survey of 600 cybersecurity professionals, 74% admit to not having a full API inventory or knowledge of APIs, including sensitive data.
Finally, many companies are unaware of the major role malicious automation and bot attacks play in API abuse. Attackers use bots to exploit API vulnerabilities to access users’ accounts and extract information at scale.
Use bots to “break in” and gain access to user accounts
Cybercriminals use malicious bots to systematically steal credentials and abuse account logins. Bots can move fast. By combining hundreds of thousands of proxy IP addresses with stolen credentials, attackers can quickly map APIs, identify vulnerable targets, and automate logins to gain access.
Use bots to “escape” and extract data
Bots are also used by attackers to extract data from accounts. They can do it quickly and at scale, so the information extracted can be profitable. For example, in the T-Mobile breach, the attacker stole data from 37 million accounts before he was even noticed. Leveraging automation was probably one of the only ways he could allow the extraction of millions of records like this.
There are many elements that go into securing an API. Removing the ability to automate against vulnerable APIs is a big step forward in terms of attacks and damage that can be done. This shows how a modern bot defense has become important to protect your APIs along with other tools.
Reassess your company’s cybersecurity stack
Many companies mistakenly believe that their existing API security stack, including WAFs and API gateways, can fully secure their APIs. And while these tools may be successful at preventing some attacks, they are inadequate at preventing API violations, as they are developed for other purposes that do not stop malicious automation. often
Forrester’s recent report, Planning Guide 2023: Security and Risk, advises CISOs to reassess their current cybersecurity stack. As attackers constantly evolve their attack methods, it’s important that enterprises evolve their defenses as well. At the same time, getting rid of tools that no longer work is paramount. API security and bot management are the top two technologies Forrester says his CISO will focus on as he sets his 2023 priorities.
Ensuring your enterprise’s bot defenses are proactive and dynamic is essential. While the industry often hails machine learning as a panacea for API security protections, attackers are very adept at tricking models with fake data to bypass API security protections. To effectively thwart API attacks, enterprises must understand the shortcomings of the products they deploy and employ response defenses.
In addition to protecting your APIs with API Security, it’s important to discover, detect, and defend against threats across all your organization’s business logic. For this reason, it is imperative that you re-evaluate your entire cybersecurity stack and prioritize a holistic security approach that includes stopping malicious bots.
Kasada founder and CEO Sam Crowther said: