As companies move applications to the cloud and expose functionality via application programming interfaces (APIs), criminals have been moving quickly to take advantage of this newly exposed attack surface. By using botnets, they can dramatically increase the reach and effectiveness of their attacks. As with many new technologies, security is lagging behind.
The problem is that companies must be strategic about where they spend their security money, says John Carey, managing director in the technology practice at AArete, a management consulting firm. Investments in anti-bot technology are usually invisible to customers. “Tools and skills are in demand and increasingly expensive,” he says. “Similarly, the threat landscape is expanding, as it’s a lucrative crime area.”
Botnet attacks on APIs a growing problem
According to a report by security firm Radware and Osterman Research released earlier this year, 98% of organizations saw attacks against their applications in 2020, and 82% reported attacks by bots. The most common types of bot attacks are denial of service (DoS), experienced by 86% of companies, web scraping, seen by 84%, and account takeover, reported by 75%.
API security was a “top priority” for 55% of organizations surveyed, and 59% said they want to “invest heavily” in it during 2021. Only a quarter of companies said they used bot management tools. Over the next year, 59% of organizations said they planned to invest heavily in API protection and 51% planned to invest in web application firewalls, but only 32% said they planned to invest in bot management tools. In addition, only 52% of companies fully integrated security into continuous delivery of APIs, compared to 63% for web applications.
The situation is only getting worse. According to a March report from the Council to Secure the Digital Economy (CSDE), the Consumer Technology Association, and trade group USTelecom, the destructive potential of botnets has increased exponentially as they leverage IoT devices, which are estimated to reach 80 billion in number by 2025, or ten times the size of the world’s human population. APIs are a juicy target, since they allow enterprises to expose back-end data and functionality to trusted partners, customers, and the public. The CSDE recommends API gateways to help protect them against botnets.
According to data from security firm GreyNoise Intelligence, during the past three months, more than 6,800 IP addresses have been scanning the internet for ENV files, which are configuration files that are used to store things like database logins, passwords, and API tokens. Of this traffic, 1.4% was known to be benign, says Nathan Thai, research lead at GreyNoise. “Some security companies will scan for these files,” he says. “They have no malicious intent, just doing surveys or reports.”