Shadow APIs emerging as the next cybersecurity battlefront
source link: https://itwire.com/guest-articles/guest-opinion/shadow-apis-emerging-as-the-next-cybersecurity-battlefront.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Monday, 07 August 2023 16:26
Shadow APIs emerging as the next cybersecurity battlefront
By Glen Maloney, ANZ country lead at Cequence Security
GUEST OPINION: Shadow APIs have become a significant threat to IT security in recent years. They are increasingly being exploited by cybercriminals to gain unauthorised access to systems with the objective of causing disruption or loss.
According to the most recent API Protection Report, of the more than 20 billion transactions analysed from the first half of 2022, 16.7 billion were malicious. Also, the majority were against unknown, unmanaged, and unprotected application programming interfaces (APIs), commonly known as shadow APIs.
The presence of shadow APIs is a common problem for many organisations because they have been created without the IT team's knowledge, rendering them invisible. This makes it almost impossible to have an accurate inventory in place to monitor quality assurance and the usage of API endpoints.
Attackers can also quickly discover API endpoints that will interact with production data and, by analysing a production API, they can discover shadow APIs.
Even if the production API is well protected, it can still be used to betray its fellow APIs. By ‘fuzzing’ or modifying the values of the known/protected API, the attacker can enumerate through other API endpoints.
Use of automation tools
Enumeration attacks are easily carried out using automation tools that can speedily run through different sequences. Attackers use a range of criteria to enumerate through different versions, the possibility that they may be listed under different host names, or that they will accept random characters at the end of the URI path. The information gathered is akin to giving the attacker the user manual to the API.
Shadow APIs can expose excessive amounts of sensitive data that can be used to carry out a variety of attacks. These range from relatively slow-paced testing fraud of stolen credit cards to brute force credential stuffing campaigns that use compromised usernames, emails, and passwords to gain unauthorised access to protected accounts.
High-volume bot attacks against retail websites that allow scalpers to snap up the latest must-have item where demand outstrips supply can also be carried out.
Recently, a large US-based footwear and apparel retailer detected and mitigated a bot attack that was 50 times higher than normal, with 200 million API requests coming from roughly 6 million unique IP addresses. It quickly became clear that the attackers had done their homework and knew of the existence of a shadow API which invoked the Apple Pay functionality on the retailer's platform.
The attackers also exhibited patience as they waited to attack the shadow API until the last minute to avoid detection. Then as soon as the product launch began, the (shadow) Apple Pay API was hit with more than 100 million malicious API requests, all from high-quality residential proxies.
A constantly growing problem
While shadow API abuse consistently topped the charts of attacks in the first half of the year, the report reveals that there was a significant surge in April, and attacks have continued to rise ever since. The focus has been on high-volume content scraping from these APIs, which has then been used predominantly for both shopping bot assaults and gift card attacks.
The rise in assaults against shadow APIs indicates that cybercriminals continue to perform detailed analysis of how each API works, how they interact with each other, and they can use that information to harness them. At the same time, security teams are working blind because they are dealing with an unknown, unquantified risk.
To overcome this issue, it is important for security teams to take a holistic approach to API security. This must begin with a process of discovery designed to uncover every API that is being used across the organisation. Once this has been completed, continuous risk analysis can be conducted to determine what additional steps need to be taken to thwart future attacks.
Shadow APIs are going to remain an area of critical risk for many organisations for an extended period. By taking time to fully understand how APIs are being used in all areas, and then taking the required steps to boost security, the chances of falling victim to an attack can be reduced.
Read 533 times
Please join our community here and become a VIP.
Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here
GARTNER MARKET GUIDE FOR NDR 2022
You probably know that we are big believers in Network Detection and Response (NDR).Did you realise that Gartner also recommends that security teams prioritise NDR solutions to enhance their detection and response?
Picking the right NDR for your team and process can sometimes be the biggest challenge.
If you want to try out a Network Detection and Response tool, why not start with the best?
Vectra Network Detection and Response is the industry's most advanced AI-driven attack defence for identifying and stopping malicious tactics in your network without noise or the need for decryption.
Download the 2022 Gartner Market Guide for Network Detection and Response (NDR) for recommendations on how Network Detection and Response solutions can expand deeper into existing on-premises networks, and new cloud environments.
PROMOTE YOUR WEBINAR ON ITWIRE
It's all about Webinars.Marketing budgets are now focused on Webinars combined with Lead Generation.
If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.
The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.
Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.
We look forward to discussing your campaign goals with you. Please click the button below.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK