Investigative Report
Investigative Report: The Impact of Code Obfuscation and Web Delivery Encoding on Next Generation Firewall Scanning Accuracy

Investigative Report: The Impact of Code Obfuscation and Web Delivery Encoding on Next Generation Firewall Scanning Accuracy

AUTHOR: JASON PAPPALEXIS

In a continuous effort to evade detection, cybercriminals are embracing fileless or near-fileless attacks involving script-based and memory-based attack techniques. Cybercriminal script authors leverage browser-side scripts to execute malicious actions, including download of binaries, download of Windows PowerShell scripts, and redirection of traffic. By bypassing file IO, these attacks become nearly invisible to many client-based security products.

This report includes results from an NSS Labs investigation on the average performance of 10 next generation firewalls (NGFWs) in detecting a malicious script sample that was obfuscated using fifteen different tools and four web traffic encoding mechanisms. False positive rates for benign scripts that were obfuscated using the same tools are also examined.

The results from this investigation highlight areas that NGFW product management teams should focus on to improve the security effectiveness of their products and reduce operational costs for their enterprise customers.

As with all NSS Labs group tests, there was no fee for participation. All testing was conducted independently and was not paid for by any vendor.