Organizations aren’t slowing down in their use of application programming interfaces (APIs). According to a survey covered by DEVOPSdigest, 61.3% of organizations used more APIs in 2020 than they did a year earlier. An even greater proportion (71.3%) said they plan to use even more APIs in 2021. Another 21.2% expected to use the same number of APIs over the course of the year. But botnet attacks can be a big problem for these. How can you protect yourself while still using the tech you need?

Why Are APIs on the Rise?

The survey findings discussed above highlight the increasing interest in digital growth following the events of 2020. Indeed, Forrester predicted that businesses and agencies will speed up their digital transformation over the course of 2021. One-fifth of them will create digital divisions for the purpose of launching digital products that can help with this, noted Forrester. An even greater percentage (50%) expect to make focusing on the cloud a priority.

They need those APIs to advance in their journeys. As noted by Google, “APIs are the de facto standard for building and connecting modern applications.” They help internal developers to access and reuse data and functionality. They also open their assets up to external developers. This makes it easier to manage, monitor and secure their assets.

Botnet Attacks Target APIs

Organizations can certainly use APIs to secure their digital assets. However, along the way, they need to consider the APIs themselves. Otherwise, they could end up repeating 2020. That’s the year when 98% of organizations witnessed attacks against their applications, according to a study from security firm Radware and Osterman Research.

Various factors contributed to these attacks, but none were as weak as API defenses. Two-fifths of respondents said that over half of their applications exposed them to to the internet or to third-party services via their APIs. Nearly half of survey participants experienced an injection attack and some form of element/attribute manipulation on a monthly basis at 49% and 42%, respectively. Monthly denial-of-service (DoS) attacks were even more prevalent at 55% of cases.

Those DoS attacks stood out in this study, for they were the most common type of botnet attack reported. Of the 82% of respondents that reported botnet attacks against their APIs, 86% said that they suffered a DoS incident. Next on the list came web scraping (84%) and account takeover (75%). Some DoS victims saw an attack only once a month. But plenty of others faced them more often. A third said that those attacks happened weekly. Another 5% said that they faced an attack at least once a day.

Protection Against API Botnet and DoS Attacks

In an API DoS attack, a malicious actor sends requests from multiple clients to overload an API service. Many groups use rate-limiting controls to prevent this from crashing their apps. In response, the attackers use botnets already trained to detect and remain within the confines of those controls. This helps to keep traffic at acceptable levels such that security solutions, such as API management systems and distributed denial-of-service (DDoS) attack prevention tools, don’t raise an alert of something amiss.

That highlights the larger problem of how to manage bot traffic more broadly. In the survey from Radware, under a quarter (24%) of respondents said that they had a specific solution for telling between real users and bots. Just 39% went on to attest that they were confident in knowing what’s going on with malicious botnets.

API Security Meets Botnet Protection

The only way to prepare for botnet attacks on their APIs is to practice API security and bot management. Regarding the former, focus on setting up authentication on APIs. This will help to prevent malicious actors from using botnets to conduct brute password and DoS attacks. They should consider using multi-factor authentication (MFA) as a means of obtaining an access token through an external process like the OAuth protocol. With that scheme in place, defenders can focus on a solution such as a management store. Doing so will help them to automate their processes of keeping their API access tokens safe and secure. In addition, look at measures such as role-based access control to confirm which resources can access an API.

On the bot management side of things, organizations can similarly implement MFA to prevent instances of credential stuffing as well as identity and access management to control which resources are available to which user accounts. Those practices can lay the groundwork for more controls such as CAPTCHAs and cloud-based web application firewalls. The former can help block bots from filling out forms, entering in credentials and/or even connecting to a site. The latter is useful for rooting out botnet attacks based upon their behavior. It can do this even before they even have a chance to interact with their sites.

An Eye Toward the Future

The threats facing APIs are evolving. The growth of artificial intelligence (AI) is helping to fuel the possibility of AI-powered digital attacks. Such incidents could take the form of phishers using machine learning algorithms to generate convincing messages as part of a business email compromise. From there, they can stage a brute force attack against APIs. They could also involve a botmaster using AI-powered software to probe a network so that they can know exactly where they want to strike their intended target.

These emerging threats highlight how some API protection efforts could benefit from working with a trusted vendor. A solution that centralizes security functions in a single gateway will help to provide even more powerful API security as part of a single package.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read