Deconstructing API Attacks

PUBLISHED ON November 22, 2022
LAST UPDATED Nov 22, 2022

Over the last couple of decades, attackers have built up a sizeable arsenal of tools, techniques, and knowledge related to common technology stacks and security controls. They put all these resources into play when attacking APIs. As a result, threat actors are more innovative, and their attacks are more advanced, than ever before. 

API Attacks Are Sophisticated 

API attacks aren’t one-and-done, but are complex, multi-step processes, often involving large-scale botnets and denial of service techniques. Attackers take their time, methodically sizing up the target and strategically avoiding detection by using multiple tools and techniques that aren’t easily recognized by traditional defenses. You can think of an API attack as an advanced persistent threat on steroids. 

Step by Step

API attacks are commonly spread out over several coordinated steps, which individually appear innocuous. And because attackers often attempt to abuse the business logic of an application, their input isn’t obviously malicious. These multi-step attacks can be very hard to detect as attackers build upon earlier reconnaissance and information leaks. The attacks can appear to be normal traffic when requests are evaluated individually. 

When not mimicking normal API behavior, modern attackers disguise their activity. They know traffic is being inspected, so they use evasion techniques to bypass traditional security controls. 

Evasion Techniques 

One form of evasion is the use of an anonymizer to mask the attacker’s location. However, anonymizers are relatively easy to detect, so attackers take it a step further by impersonating a legitimate user with false user agent information. Imagine, as an example, that a Russian attacker spoofs a location to appear to come from the United States. Most security solutions will detect the malicious activity and block or flag the IP address. Attackers know this, so they use multiple IP addresses and vary different elements of the request identifiers. Not only does this method help the attackers evade detection, but it also helps them determine defense thresholds. 

Attackers use many other evasion techniques as well. Further, when they combine evasion techniques with various attack types, they make it nearly impossible for a signature-based security solution to identify every combination. 


Like a magician, attackers are experts at the art of misdirection. They draw attention over here so that the target doesn’t notice what’s going on over there. Ransomware and distributed denial of service (DDoS) attacks are favorite forms of misdirection. While the security team is occupied with shutting down the attack and restoring service, attackers interleave the “real” attack against other assets. 

Unfortunately, this is no magic show. Security teams can’t afford to ignore what’s going on over here any more than they can afford to ignore what’s going on over there — that is, assuming they discover the other attack at all. These blended, mixed-mode attacks are difficult to get a handle on, which is why they so often succeed. Security teams are left playing a never-ending game of whack-a-mole while trying to proactively shore up their security. 

Militarized Attack Patterns 

Let’s imagine you’re responsible for security at a regional financial services institution. A national competitor succumbs to a damaging API attack. Your board of directors is relieved – if attackers are focused on the big guy, then they couldn’t possibly care about your small organization – or do they? 

Companies or organizations within the same industry are, in fact, at risk of getting caught by the same attacks. The reason is simple: organizations within the same vertical often use the same software and are therefore susceptible to the same vulnerabilities. Attackers may profile one organization and use the knowledge to attack others that deploy a similar tech stack. 

Low and Slow

Attackers play the long game. They understand where the tripwires are and how much pressure they can sustain before an alarm sounds. Attackers often spend months or more poking around the edges of an organization to see what the thresholds are. As a second phase, they’ll meter their attack to come in under that threshold and go after high-profile assets. 

Malicious Bots 

Attackers make their work more effective, more efficient, and more dangerous by using botnets to automate their activities. With botnets, attackers can use multiple IP addresses (sometimes tens of thousands), making the attack that much harder to identify. And bots can mimic human behavior, so they look very much like normal usage of the API. Attackers use bots for everything from general scanning and reconnaissance to attacks like scraping proprietary pricing information from web storefronts. 

Attackers know that it’s difficult to mitigate bot traffic. Because some bots are not malicious, coarse-grained mitigation efforts can disrupt or degrade the experience for legitimate users. Furthermore, advanced bots that use headless browsers or impersonate legitimate users can easily bypass agent-based detection and fool legacy WAFs and web applications into thinking that the attacking bots are legitimate human users. 

Learn More

How do you defend against these drawn-out, multi-step attacks? The key is to track attacker behavior over time. Learn more in our new whitepaper.

About the Author

Bret Settle

Bret has served in multiple executive roles for Corporate Express/Staples and BMC Software and has extensive knowledge of the software development and security products industries. Bret has been responsible for enterprise security in multiple roles and has been an innovator throughout his career and has a proven track record of building and developing high performing organizations and dynamic cyber security teams.