The Importance of Advanced Obfuscation for Long-Term Efficacy – Part 1

It is often quoted that “Security through obscurity is bad practice.” We see this differently. In the highly adversarial game of bot detection and mitigation, obfuscation plays a key role in delivering the defender’s ultimate quest: long-term efficacy. Our overarching goal is to make our customers’ applications and APIs difficult and expensive to attack. Obfuscation is a vital component of this strategy.

Long-term efficacy is most often eroded by attackers’ retooling – adapting their bot’s presentation and rendering the bot mitigation defence useless. The likelihood and time required for an attacker to retool is directly proportional to how easy it is to reverse engineer your defences. TL;DR: Try not to be cheap and easy to attack.

The Defenders Strategy

The path towards achieving long-term efficacy is long and challenging, with lots of obstacles and traps for those looking to defend against persistent bot attacks. A successful strategy relies on layers of overlapping defences – often referred to as “defence in depth” where your overall defence is dependent on not just one technique or defensive measure, but many interlocking defences that reinforce each other.

Obfuscating defensive detection scripts is crucial to the overall bot detection strategy. These scripts, which contain highly sensitive detection methods, are delivered and executed inside the attacker’s environment. Bot operators are constantly reverse engineering these scripts to uncover the new tricks used by their adversaries.

The fact that bad actors typically collaborate in communities of like-minded groups only exacerbates the problem. As a defender, once your bot detection model is published on the internet, your ability to deliver short, medium, or long-term efficacy is compromised. In turn, this reduces the ROI on your solutions’ R&D efforts, customer success outcomes, and ultimately long-term value.

Thinking about Code Obfuscation

Looking outside the bot and fraud mitigation landscape, there are two neighbouring use cases for code obfuscation that are highly relevant:

  1. Source code protection
  2. Malware obfuscation

In both cases, the creators of the code are motivated by:

  1. Protecting their intellectual property
  2. Achieving long-term efficacy
  3. Preventing reverse engineering and tampering of the code

The bottom line? You can improve long-term efficacy by increasing the sophistication of your code obfuscation.

Bot Detection Obfuscate JavaScript

An Exercise in Reverse Engineering

As with malware obfuscation, various layers of sophistication can apply to obfuscating bot detection code. An easy option is to use an obfuscator tool, which presents a very small obstacle to a moderately skilled bot operator. 

Take an example, where a bot operator provides a step-by-step guide that you can follow, needing nothing more than copy/paste funtionality, a web browser, and a mouse.

Finding a repo that provides such info (like the image below) is a fairly easy task, as they are readily available on the web for all to see. 

Obfuscation Repository

  1. Copy the JavaScript code for your bot detector of choice
  2. Go to a tool like this to deobfuscate the JavaScript
  3. Select the array radio button, paste the code, and click Auto Decode

Congratulations, you just reversed your first defensive script!

The depth of your defences needs to be greater than your attackers’. This depth is dependent on the motivation of the attacker. In the bot and fraud mitigation industry, we assume that the attacker’s motivation is high, so it is not sufficient to have just any old obfuscation in place. It must be resilient to reversal by anyone other than the author of the obfuscation.

The Kasada Difference

Kasada has developed an elegant solution to these complex problems. We created an obfuscation system that cannot be reverse engineered using open source or off-the-shelf JavaScript deobfuscation tools.

It takes attackers (or any engineer skilled in JavaScript) about 20 minutes to reverse engineer typical JavaScript obfuscation. Not Kasada’s. Our obfuscation is applied to our scripts each time they load, generating unique polymorphic code each time. We’ve found that it has been incredibly resilient against sophisticated attackers.

So our position is that “security through obscurity” is necessary, but it is not sufficient on its own. In other words, security through obscurity must be part of your defences, not your only defence against adversaries. Consider this when evaluating a bot mitigation solution’s ability to withstand the inevitable attempts to reverse engineer its defences.

Watch our on-demand webinar with SANS to learn more about how to beat cybercriminals who are using automation frameworks and deobfuscation techniques to fly under the radar of bot detection systems.