Introducing Integrated API Abuse Prevention to Combat Bad Bots

In recent years there's been a rise in "API Abuse" attacks, which includes detrimental automated behaviors such as malicious bots, account takeover (ATO), credential stuffing, application layer (L7) DDoS, data scraping, and more. For instance, in April-2021 malicious actors scraped the personal data of over 533 million Facebook users, including phone numbers, email addresses, locations and much more, by exploiting a vulnerability in Facebook's API. The attackers then made the data available for sale on the dark web, exposing millions of users to potential identity theft, phishing attacks, and other forms of cybercrime.

Because APIs serve as a means for different software systems to automatically communicate and exchange data with no direct oversight, they can be abused by systems (and the people behind them) to behave outside expectations, which can lead to various negative consequences such as:

• Data breaches: API abuse can result in unauthorized access to sensitive data, leading to data breaches and privacy violations.
• Service disruption: Denial-of-Service (DoS) or Distributed DoS (DDoS) attacks targeting APIs can cause service outages, disrupting business operations and user experience.
• Financial losses: Organizations may incur financial losses due to fraud, stolen data, or reputational damage resulting from API abuse.

Traditional security tools, including Rate Limiting and DDoS Protection, can be useful at reducing volumetric attacks, but generally cannot distinguish between legitimate and malicious traffic. And traditional Bot Management on API endpoints only work reasonably well when finding bad actors among human users.

But since APIs are automated, it's really about finding bad bots among other bots. To solve this problem, our approach to API abuse prevention is about intent and context — basically allowing you to assess the aims of each request, at scale.

Wallarm API Abuse Prevention involves analyzing patterns and actions of users (human or machine) interacting with API endpoints to identify and flag suspicious activities. By monitoring actual behavior, we can detect potential threats such as credential stuffing, account takeover attempts, or other malicious actions.

Some examples of suspicious activities which we can detect include:

• Credential Stuffing: Identifying multiple failed login attempts with different usernames but similar IP addresses or patterns can indicate an automated credential stuffing attack.
• Unusual Access Patterns: Monitoring access patterns, such as sudden spikes in API requests or access from geographically disparate locations within a short time frame, can help identify potential API abuse attempts.
• Abnormal API Usage: Tracking API usage metrics, such as unexpected API resource consumption, unusual transaction volumes, or anomalous data retrieval patterns, can indicate malicious activities.
• Rapid Iteration: Detecting rapid iteration through a large number of API endpoints or data points in a short time period may indicate scraping or data harvesting attempts.
• Anomalous User Sessions: Identifying unusual session behavior, such as frequent session creation and deletion or simultaneous access from multiple devices or locations, can signal account compromise or unauthorized access attempts.

Wallarm employs AI-driven anomaly detection algorithms to identify unusual patterns in API requests, user sessions, or data access. These algorithms learn from normal user behavior and can flag potential API abuse in real-time, allowing organizations to take proactive measures to mitigate threats.

Some of the advantages to our approach include: 

• It Provides Detection and Protection. You can guard against the blind spot in your API defenses by recognizing and differentiating between legitimate vs. malicious automated behaviors, and blocking those likely to cause harm based on your unique scenarios.
• It’s Integrated. Our API Abuse Prevention capability is delivered as part of the Wallarm End-to-End API Security solution, providing you with a single platform to protect your entire API estate so you do not have to add another tool / workflow into your process.
• It’s Customizable. You can assemble detectors and thresholds to customize protections appropriate for your API estate.

Wallarm API Abuse Prevention is currently available via our Early Access Program (EAP), after months of work with Alpha users. Having already demonstrated the capabilities and value of our integrated API Abuse Prevention solution, EAP allows users to experience new features and functionalities ahead of full release. This enables you to stay ahead of the curve while also contributing to our continuous development and improvement efforts by reporting bugs, suggesting enhancements, and shaping its final form. 

Sign up for a demo today.

To learn more, take advantage of these resources:

• Wallarm API Abuse Prevention webpage
• Wallarm API Abuse Prevention datasheet (PDF)
• Wallarm API Abuse Prevention demo video