How To Approach API Security Amid Increasing Automated Attack SophisticationHow To Approach API Security Amid Increasing Automated Attack Sophistication

By Rob Dickinson, Vice President of Engineering, Graylog

The API security landscape evolved in 2024, marked by significant acquisitions and mergers among providers and continued sector funding to help solve the API security problem. Additionally, the damage caused by API vulnerabilities became more apparent, with high-profile cases like Dell's customer database theft and Trello's data scraping coming into public view. According to an API Security Impact Study from Akamai, 84% of respondents experienced an API security incident over the past 12 months, an all-time high (up from 78% in 2023). 2025 API attacks will continue, and security will remain a challenge.

Inherent API Challenges

APIs are fundamentally dark and challenging to monitor, making it hard for organizations to detect exposures and exploits. Visibility into APIs is low; security teams can't browse APIs like they could a Web browser to confirm the system was doing the right thing. Organizations often can’t tell how many APIs they have, when new ones are being added, and when APIs are being changed. While APIs are critical to many companies' bottom lines, their obscurity makes it difficult for organizations to manage them effectively.

We all know API security is invaluable, enabling the identification of potential security threats related to API access, suspicious activity, and abnormal behavior and allowing organizations to detect and respond to API security incidents. Yet the challenges are tremendous and include API sprawl. The development of APIs by different teams has led to poorly documented and unmanaged shadow APIs. These are a growing blind spot for organizations and lead to potential breaches. Attackers’ methods and techniques have also increased in sophistication, and AI and automation are helping them make significant gains. 

Related:How Do We Build Ransomware Resilience Beyond Just Backups?

The Evolution of API Attacks and the Role of AI and Automation 

API attacks driven by AI and automation are here to stay. The API Security Perspectives 2025 report from API cloud technology firm Kong found that 25% of respondents have encountered AI-enhanced security threats related to APIs or LLMs, with 75% expressing grave concern about AI-enhanced attacks in the future.

We’ve now gone from ‘dumb’ attacks—for example, web-based attacks focused on extracting data from third parties and on a specific or single vulnerability—to ‘smart’ AI-driven attacks often involving picking an actual target, resulting in a more focused attack. Going after a particular organization, perhaps a large organization or even a nation-state, instead of looking for vulnerable people is a significant shift. The sophistication is increasing as attackers manipulate request payloads to trick the backend system into an action. Stopping AI-driven API attacks is like finding a needle in a haystack, given the number of people using a given API simultaneously. Like any API attack, the attack is not loud and is often subtle. For example, it can look like the response code is okay and everything is working fine, but you may slowly leak your customer database. The challenge for organizations is that they have to protect against the new sophisticated, automated attacks and the unsophisticated attacks that are not going away.

Related:10 Ways To Harden Your Linux Containers Against Attacks

What To Know About API Data Exfiltration Targeting Personal Identifiable Information

Another element of API security is being aware of sensitive data. Personal Identifiable Information (PII) is moving through APIs constantly and is vulnerable to theft or data exfiltration. Organizations do not often pay attention to vulnerabilities. Still, they pay attention when the result is damage to their organization through leaked PII, stolen finances, or brand reputation. Data exfiltration will be a critical API security use case in 2025. A Q3 24 API ThreatStats™ Report from Wallarm noted that the trend in AI API vulnerabilities continues with AI inextricably tied to APIs, creating risk in this exploding technology. 

Related:Agentic AI Paves the Way for Sophisticated Cyberattacks

Unfortunately, internal teams can’t get the complete picture just by monitoring the network. Security tasks don’t always have clear owners. At the organizational level, it will remain a challenge to determine who is responsible for API security. The security teams know the network systems and the infrastructure well but don't understand the application behaviors. The DevOps team tends to own the applications but doesn’t see anything in production. This split boundary in most organizations makes it ripe for exploitation. Many data exfiltration cases fall in this no man’s land since an authenticated user executes most incidents.

In 2024, we had cases of data exfiltration-driven API data breaches where the goal was to steal PII. In the case of a 2024 Dell data breach, the user was authenticated. According to reports, the threat actor scraped information for data exfiltration purposes and stole 49 million customer records using a partner portal API they accessed as a fake company. They were able to access and steal the data after discovering a portal for partners, resellers, and retailers that could be used to look up order information.

In another API data exfiltration case, a cyber attacker targeted Trello, a project management and collaboration platform, as reported. The administrator of a Trello ‘board’ (workspaces) designed for collaboration invites other people via email to participate on these public boards—and a REST API enables that invite feature. The cyber attacker manipulated this API as a business logic attack; if someone queried the API using an email address, it would return the public profiles of any boards associated with that email. The attacker scraped publicly available data on 15 million Trello profiles.

Deterring Sophisticated API Data Exfiltration Attacks

According to VentureBeat, Forrester's 2025 budget planning guide for security and risk prioritizes API security as one of the three core areas of business operations and advises CISOs to invest in these areas. As we move further into the era of cyberattacks driven by AI and automation, security teams must continue to have an overarching security strategy that emphasizes monitoring firewalls, gateways, and individual requests but at the same time works towards the detection of API data exfiltration. This includes monitoring PII tokens and usage numbers across periods. A user with PII tokens in the millions should be a red flag. As cyber attackers continue to target vulnerable APIs for financial gain, IT and security teams must be mindful of what makes APIs unique and how they work to ensure continuous threat monitoring, detection, and response.

About the Author

Rob Dickinson is VP of Engineering at Graylog, where he is responsible for Graylog API Security. Previously, he was Founder and CTO at Resurface Labs until 2023 at which time Graylog acquired the company’s API security platform. Rob has also served as Software Architect at Intel Corporation, Senior Software Engineering Manager at Dell, and Software Architect at Quest Software. Rob brings a unique perspective on big data and API security and deep empathy for the challenges that API providers face.