Cequence Security, the Unified API Protection (UAP) provider, has released its second-half 2022 report titled "API Protection Report: Holiday Build-up Shows 550% Jump in Unique Threats."
Developed by the CQ Prime Threat Research Team, the report is based on analysing approximately one trillion API transactions spanning various industries over the second half of 2022. It seeks to highlight the latest API threat trends plaguing organisations today.
“As compared to other reports based on survey and qualitative data, our report covers actual tactics, techniques, and procedures (TTPs) employed by threat actors targeting consumer-facing, business-to-business (B2B), and machine-to-machine APIs. It serves as a critical resource for decision-makers, security professionals, and other stakeholders tasked with safeguarding their organisation,” says Cequence Security.
“API breaches have plagued numerous high-profile organisations in recent months, elevating the need for CISOs to prioritise API protection. Attackers are getting more creative and specific in their tactics, and traditional protection techniques are no longer enough,” says Ameya Talwalkar, CEO and founder of Sequence Security. "As attack automation becomes an increasingly prevalent threat against APIs, it's critical that organisations have the tools, knowledge and expertise to defend against them in real-time."
Some of the key findings mentioned in the report are as follows.
In the second half of 2022 alone, approximately 45 billion search attempts were made for shadow APIs, marking a 900% increase from the 5 billion attempts made in the first half of 2022.
There was a 550% increase in the number of unique TTPs employed by attackers, rising from approximately 2,000 in June to 11,000 towards the end of 2022.
From June 2022 to October 2022, attackers favoured traditional application security tactics; however, as the holidays approached, there was a 220% surge in API security tactics.
Most re-tool attempts in the telecom industry were entirely new TTPs, which shows that the threat tactics utilised are diverse, sophisticated, and persistent.
The CQ Threat Research Team previously identified the need for API10+ to go beyond the OWASP API Top 10 to include protection against automated attacks.
“The threat report findings confirm the past observations made by Cequence and endorse the inclusion of native bot mitigation capabilities to a robust API security program,” says the company.
“The report clearly demonstrates that the API threat landscape is constantly evolving, and organisations need to be vigilant in protecting their APIs and web applications from automated threats (bots) and vulnerability exploits. Attackers are becoming more sophisticated and API-specific in their tactics, and traditional protection techniques continue to provide ineffective defence,” says Talwalkar.
“Our research is vital in providing organisations with the necessary tools and knowledge to mitigate attacks in real-time. By staying ahead of the curve and understanding the latest attack methods and tools, organisations can achieve Unified API Protection and build the awareness and confidence needed to protect their APIs from even the most sophisticated attacks."