Kasada, provider of a online traffic integrity solution that accurately detects and defends against bot attacks, recently announced the introduction of Kasada API, which protects an organization’s web and mobile application programming interfaces (APIs) from automated botnet attacks and targeted fraud. If left unprotected, an organization’s most sensitive API endpoints (i.e. authentication, account creation, and handling sensitive data) can be quickly exploited by attackers, giving them a direct path into the organization.
We sat down with Kasada founder Sam Crowther to discuss the rising threat of botnets, how hackers are using them to target APIs, and what Kasada is doing to protect enterprises.
Tell us about Kasada and the company's mission.
Kasada provides the only online traffic integrity solution that accurately detects and defends against bot attacks across web, mobile, and API channels. Our solution invisibly stops automated threats such as credential abuse and web scraping, while inflicting financial damage back to attackers that destroys any return on their investment. Our mission is to bring internet control and safety back to human beings. For our customers, this means helping them mitigate the risks inherent with conducting business online - stopping even the stealthiest cyberthreats in a simple and cost-effective way. We want to help businesses move away from the traditional model of an expensive security solution that’s difficult to integrate and support, to something that just works from the start - and all the time. Botnet attacks have been on the rise in recent years. What makes them so dangerous and viable?
What makes botnet attacks so dangerous is also what makes them so viable. With bots, you can conduct an attack at a phenomenal scale with very little effort or expense. The information needed to conduct a bot attack, such as residential proxy networks, for example, is very commoditized and simply not that expensive. This enables attackers to leverage scale in their attacks, increasing their success rate. In addition, bots are very accessible - frameworks exist to leverage them in almost every programming language, and they don’t require a lot of programming skill to use. Companies cannot use traditional protection mechanisms successfully against bots, either. If attackers are using residential networks to attack you, you can’t just shut down incoming traffic because they’re using legitimate customer IP addresses. Shutting that source down would shut down your customers too. The combination of low-cost, low-skill, ease of scale and difficult to defend against makes bots a favorite choice for attackers.” What makes web and mobile APIs commonly targeted by hackers?
“APIs are built to be interpreted by machines, meaning they expect to be interacted with through code. This makes them very friendly to scripted attacks. The code used by attackers to interact with an API is, by nature, very easy to program and use. In contrast, websites are traditionally more difficult to attack because they’re not designed to be interacted with through code - they’re designed to be interacted with through a browser. Millions of dollars have been spent over the years to protect a business’ website, but the newness and accessibility of APIs prevent them from having that same level of security. Because of this, APIs represent a golden opportunity for attackers to circumvent all of the investments previously made and find a way into the network. The other issue that makes them a favorite target of attackers today is that security teams often lack visibility into how many APIs are in use by their company. With the democratization of technology and the low-code movement, APIs are used throughout a company by technical and non-technical users alike. Their accessibility is both their strength and their weakness.” How does Kasada, technically speaking, protect against API attacks and fraud?
Kasada protects mobile APIs by making sure that the client interacting with a business’ API is actually the authorized, intended client. For web APIs, our solution challenges the browser interacting with the API to prove it’s a legitimate browser and one that’s authorized to take this action or make the directed interaction. By forcing the browser to prove that it’s legitimate, Kasada immediately stops any off-the-shelf attack tools from being used successfully and forces the attackers to build their own custom attack against the specific API in question. This increases the resources, time and computational cost to an attacker - and once they try again, Kasada then detects the unique attack and goes back to the attacker with an escalating cryptographic challenge. In short, we force attackers to do more work and then make it impossible to succeed and too expensive to keep trying. Where can security pros go to get more information about API security risks and Kasada?