It is becoming more common for malware to be hidden in encrypted traffic which makes it difficult for detection. Sophos mentioned that roughly has been detected to communicate with a remote system over the Internet via TLS. 46% of malware Cybercriminals are using this to their advantage to avoid detection and proceed with their malicious activities. The security of the network becomes a challenge for security administrators because they won’t know if a malware has already entered the network. Intrusion detection systems (IDS) are typically used to monitor the network for any suspicious activity but are unable to analyze encrypted traffic. JA3 and JA3S are TLS fingerprinting methods that could be useful in security monitoring to detect and prevent malicious activity. They have become a popular Indicator of Compromise (IoC) in many tools today such as Suricata and Splunk. What is TLS Fingerprinting? TLS fingerprinting is a technique that extracts fields from the TLS ClientHello message to generate a fingerprint to recognize a particular client. TLS Handshake With JA3 and JA3S, the most important part of the TLS handshake is the ClientHello and ServerHello message. The ClientHello is the first message that is sent to the server to initialize communication with the server. The ServerHello message is the server’s response to the client’s message. JA3 and JA3S fingerprints (MD5 hash values) are generated based on specific attributes within the ClientHello and ServerHello messages. JA3 fingerprints work because TLS negotiations are transmitted in clear text which is why we are able to obtain the attributes needed for fingerprint generation. JA3 Fingerprint JA3 was developed by three Salesforce members (John Althouse, Jeff Atkinson, and Josh Atkins) and is a technique used to generate SSL fingerprints based on the ClientHello packet to identify the client that established an encrypted connection. The JA3 fingerprint clarifies from the start if a client application is malicious or not. JA3 Fingerprint Generation The attributes that are essential from the ClientHello message to generate a JA3 fingerprint are the SSL version, ciphers, extensions, elliptic curves, and elliptic curve point formats. The ciphers, extensions, and elliptical curves help identify the client. Once each value has been extracted, they are concatenated using a comma to delimit each field. The long string is converted from decimal values to an MD5 hash to create an easy 32 character fingerprint which is the JA3 fingerprint. The field order is as follows: SSLVersion, Ciphers, Extensions, EllipticCurves, EllipticCurvePointFormats Every application uses different packages and programmatic methods to generate the ClientHello message which explains why the ClientHello message will be the same for a given application. JA3 Limitation There is a possibility two client applications have the same JA3 fingerprint and would not be useful for detection and identifying whether the communication is legitimate or malicious. This is the reason why it is better to use JA3 and JA3S together. JA3S JA3S is for the server side of the SSL/TLS communication and the fingerprint is generated by using attributes from the ServerHello packet. The JA3S fingerprint generation requires fewer attributes than the JA3 fingerprint. It only needs the SSL version, cipher, and SSLExtension. The field order is as follows: SSLVersion, Cipher, SSLExtension JA3 + JA3S Pair John Althouse mentioned in a Twitter conversation that JA3S cannot be used alone, it must be combined with JA3 to be more effective for detection or blacklisting. It would also reduce the number of false positives when used as a pair. Also, if we only utilize the JA3 fingerprint, we would most likely see a steady amount of traffic with the majority of it being legitimate. How can JA3 and JA3S be used in Security Monitoring? JA3 fingerprints can be useful in detecting malicious circumvention techniques. Domain Fronting Domain fronting disguises the actual destination of the client’s communication and reroutes it to a malicious site. From the firewall’s perspective, the HTTPS request appears to be going to a legitimate website when it is actually visiting a malicious site that should be blocked. JA3 and JA3S fingerprints can be used to determine the type of application (browser, email programs, software, etc.) before an SSL connection has been established. Data Exfiltration Attackers use data exfiltration to perform unpermitted transfer of sensitive information from an organization to their server or system. Although the information is encrypted, it is still possible to determine if the client is communicating with a command and control server. JA3 fingerprints can be used to identify what kind of application it is (i.e. browser, malware, etc.) and this could be an advantage in the early detection of possible attackers. Intrusion Detection Systems (IDS) When an IDS is implemented in an organization, it can be beneficial to monitor and detect any suspicious activity that may occur. It is important to have IDSes within a network to prevent possible downtime. Suricata Suricata is an open source threat detection engine that is capable of real time intrusion prevention, intrusion detection, network security monitoring and offline pcap processing. Suricata supports JA3 and can be enabled in the Suricata configuration. According to , if the rules are alerting too frequently then they can be disabled in Suricata-Update. Suricata Machine Learning There are two main types of machine learning training methods: supervised and unsupervised. Supervised learning is when we have prior knowledge of what the expected output should be. Unsupervised learning is when the algorithm does not have prior knowledge of the expected output and should learn how to determine patterns based on the data provided. A decision tree, which is a supervised algorithm, will use the values of the field that are needed to create a JA3 and JA3S fingerprint to see if machine learning can be used to create a detection system. JA3 and JA3S are two methodologies that could be additional features that may be used in security monitoring. They could be helpful to determine whether the client is benign or not regardless of the communication. JA3 fingerprints itself may not be as useful and may generate a lot of false positives in alerts if used in tools such as Suricata. If there was more research in JA3-JA3S pairs, then I believe that these fingerprints could be useful in security monitoring in a real-world network. This method may be able to help with monitoring encrypted communications. Want to keep up to date with all the latest cybersecurity news and guides? in the footer below. Subscribe to our newsletter

Salesforce

Twitter

Interested in security? Follow along for content within Cybersecurity

2021 - Top Security Expert

2022 - HackerNoon Contributor of the Year - Cyber Security Awareness

2022 - HackerNoon Contributor of the Year - Facebook

2022 - HackerNoon Contributor of the Year - Instagram

2022 - HackerNoon Contributor of the Year - Security

2022 - HackerNoon Contributor of the Year - Social Media

Nominated for 2022 - HackerNoon Contributor of the Year - Instagram

Nominated for 2022 - HackerNoon Contributor of the Year - Social Media

Nominated for 2022 - HackerNoon Contributor of the Year - Security

Nominated for 2022 - HackerNoon Contributor of the Year - Cyber Security Awareness

Nominated for 2022 - HackerNoon Contributor of the Year - Facebook

Too Long; Didn't Read

Get free API security automated scan in minutes

JA3 and JA3S in Security Monitoring of SSL Communication

JA3 and JA3S in Security Monitoring of SSL Communication

Too Long; Didn't Read

Companies Mentioned

@jtruong

RELATED STORIES