When it comes to cyberattacks, adversaries are focusing not just on advanced malware development, but also on increasing the sophistication of their evasion techniques. This is playing out lately in the form of ballooning instances of “cipher stunting” – a TLS tampering technique that helps malicious bot activity masquerade as live human traffic on the web.
The idea is to avoid the web client fingerprinting technologies that help security tools and human analysts to differentiate between legitimate clients and impersonators/bots. The latter are often used in credential-stuffing attacks on login pages, for committing ad fraud, automated vulnerability scanning, credential-scraping and more.
Website traffic is usually carried out via HTTPS or HTTP over SSL/TLS, the most common encrypted network traffic protocols. Fingerprinting generally maps SSL/TLS handshakes and the information provided during those handshakes by the client, which is presented in the form of a “ClientHello” message. This contains the protocol version, a list of supported cipher suites used and other data. By building a real-time snapshot of the user-agent (client) that’s connecting to a website, defense mechanisms are able to evaluate that user-agent in order to spot suspicious bot activity.