A new report out today from application programming interface security startup Cequence Security Inc. finds massive increases in threats and the targeting of “shadow” APIs in the last half of 2022.

Based on the analysis of about 1 trillion transactions spanning various industries over the second half of 2022, the report focuses on the tactics, techniques and procedures employed by threat actors targeting consumer-facing, business-to-business and machine-to-machine APIs.

The headline findings include shadow APIs spiking 900%, highlighting a lack of API visibility. Shadow APIs live outside the typical information technology management and security processes. They’re often undocumented, creating security and governance risks.

In the second half of 2022, Cequence measured about 45 billion search attempts for shadow APIs, up from a far more modest 5 billion attempts made in the first half of 2022. Some 68% of organizations analyzed were also found to have exposed shadow APIs.

There was also a considerable uptick in unique threats in the lead-up to the holiday season. Consequence saw a 550% increase in unique threats, rising from about 2,000 in June to 11,000 by mid-November 2022.

Attackers were found increasingly to combine API and web application security tactics. From June 2022 to October 2022, attackers favored traditional application security tactics, but as the holidays approached, there was a 220% surge in API security tactics such as anomalous traffic.

One standout sector being targeted was the telecom industry. The researchers noted that most retool attempts in the telecom industry were entirely new tactics, techniques and procedures, showing that threat tactics are diverse, sophisticated and persistent.

The report is said to demonstrate that the API threat landscape is constantly evolving and organizations need to be vigilant in protecting their APIs and web applications from automated threats, or bots, and vulnerability exploits. Attackers are becoming more sophisticated and API-specific in their tactics, and traditional protection techniques continue to provide an ineffective defense.

“Our research is vital in providing organizations with the necessary tools and knowledge to mitigate attacks in real-time,” Cequence Chief Executive Ameya Talwalker said before the report’s release. “By staying ahead of the curve and understanding the latest attack methods and tools, organizations can achieve complete API visibility and build the awareness and confidence needed to protect their APIs from even the most sophisticated attacks.”

Image: Cequence Security