Highlights:
- One significant instance of an API scraping attack was made public in 2021 when it was discovered that 530 million Facebook users’ data had been made accessible to the public on the dark web.
- In the most recent Google Security Research Report from Google Cloud, it was noted that 77% of the organizations surveyed had delayed the release of new services and applications as a result of API security incidents that occurred in 50% of those organizations in the previous 12 months.
The cloud division of Google LLC recently announced an API abuse detection dashboard which is powered by machine learning algorithms in response to the rising number of security threats to businesses and the increased traffic on application programming interfaces.
Due to their infamously great difficulty in detection and defense, business logic attacks are the main focus of the new feature, expanding Google’s Apigee Advanced API Security dashboard. That’s because they frequently target APIs that deal with sensitive information, business operations, and intellectual property, including products, user data, the listing of goods, and financial data.
A Product Manager at Google Cloud, Shelly Hershkovitz, “Organizations in every region and industry are increasingly producing and consuming APIs because they enable easier delivery of services and data in the digital environment. Because of that, the API usage and traffic volumes have grown. For example, the volume of API traffic processed by Apigee over Black Friday and Cyber Monday has grown year-over-year for the past three years, and between 2021 to 2022, it had an increase of 35%.”
This increased traffic coincides with a necessary increase in API disruptions and security threats. In the most recent Google Security Research Report from Google Cloud, it was noted that 77% of the organizations surveyed had delayed the release of new services and applications as a result of API security incidents that occurred in 50% of those organizations in the previous 12 months. According to a 2022 Imperva report, these incidents can also be expensive. It found that global organizations had to pay between USD 41 and USD 75 billion annually for insecure APIs.
Hershkovitz said, “We are focusing on business logic attacks such as scraping and anomalies.”
In 2021, it was discovered that the data of 530 million Facebook users had been made available to the public on the dark web, a shady area of the internet that can be accessed with specialized software. This incident served as a major illustration of an API scraping attack. Facebook at the time disclosed that this data had been obtained through “scraping,” which is when an attacker makes use of otherwise legitimate access to an API to download sizable amounts of private data from it.
In order to prevent potential attacks, rules that restrict the number of queries that can be made at once from a particular internet address or API key can typically be used to block this kind of behavior. Attackers can become smart by using numerous bots, internet addresses, and other methods to elude laws and security measures.
The same is true for suspicious or errant traffic that tries to compromise an API to gain elevated access or infiltrate a network to alter or change the data that it outputs to other users. That’s particularly risky because the effects might be catastrophic, especially in regulated industries like finance, and monitoring software may find it even harder to detect it.
Hershkovitz said, “The new machine learning models that power our Apigee API abuse detection have been trained and used by Google’s internal teams to protect some of the company’s public-facing APIs. So now we’re bringing them into Apigee for our customers to better secure and protect their APIs.”
The models have the best potential ability to recognize and model what should and shouldn’t be happening for API traffic because they have been trained on years of traffic and based on best practices for threat identification. It is particularly skilled at sifting through alerts intended to detect fewer complex attacks, which can generate a significant volume of alerts, many of which are not urgent, or assisting in dealing with multiple bot attacks at once, which can enable teams deal with the most pressing issues more quickly.
The dashboard’s machine learning-powered abuse detection algorithm will also flag critical events with “human-friendly” titles that attempt to capture the attack’s key components, such as the attack’s origin, the APIs it affected, and its duration, so that security teams can respond to the situation more quickly.
Additionally, the dashboard offers a method to drill down into the attack, a way to compare it to other attacks of a similar nature, and suggestions for how to respond to the event as soon as feasible.