It is becoming more common for malware to be hidden in encrypted traffic which makes it difficult for detection. Sophos mentioned that roughly 46% of malware has been detected to communicate with a remote system over the Internet via TLS.
Cybercriminals are using this to their advantage to avoid detection and proceed with their malicious activities. The security of the network becomes a challenge for security administrators because they won’t know if a malware has already entered the network.
Intrusion detection systems (IDS) are typically used to monitor the network for any suspicious activity but are unable to analyze encrypted traffic.
JA3 and JA3S are TLS fingerprinting methods that could be useful in security monitoring to detect and prevent malicious activity. They have become a popular Indicator of Compromise (IoC) in many tools today such as Suricata and Splunk.
TLS fingerprinting is a technique that extracts fields from the TLS ClientHello message to generate a fingerprint to recognize a particular client.
With JA3 and JA3S, the most important part of the TLS handshake is the ClientHello and ServerHello message. The ClientHello is the first message that is sent to the server to initialize communication with the server.
The ServerHello message is the server’s response to the client’s message. JA3 and JA3S fingerprints (MD5 hash values) are generated based on specific attributes within the ClientHello and ServerHello messages. JA3 fingerprints work because
TLS negotiations are transmitted in clear text which is why we are able to obtain the attributes needed for fingerprint generation.
JA3 was developed by three Salesforce members (John Althouse, Jeff Atkinson, and Josh Atkins) and is a technique used to generate SSL fingerprints based on the ClientHello packet to identify the client that established an encrypted connection. The JA3 fingerprint clarifies from the start if a client application is malicious or not.
The attributes that are essential from the ClientHello message to generate a JA3 fingerprint are the SSL version, ciphers, extensions, elliptic curves, and elliptic curve point formats. The ciphers, extensions, and elliptical curves help identify the client. Once each value has been extracted, they are concatenated using a comma to delimit each field. The long string is converted from decimal values to an MD5 hash to create an easy 32 character fingerprint which is the JA3 fingerprint.
The field order is as follows:
SSLVersion, Ciphers, Extensions, EllipticCurves, EllipticCurvePointFormats
Every application uses different packages and programmatic methods to generate the ClientHello message which explains why the ClientHello message will be the same for a given application.
There is a possibility two client applications have the same JA3 fingerprint and would not be useful for detection and identifying whether the communication is legitimate or malicious. This is the reason why it is better to use JA3 and JA3S together.
JA3S is for the server side of the SSL/TLS communication and the fingerprint is generated by using attributes from the ServerHello packet. The JA3S fingerprint generation requires fewer attributes than the JA3 fingerprint. It only needs the SSL version, cipher, and SSLExtension.
The field order is as follows:
SSLVersion, Cipher, SSLExtension
John Althouse mentioned in a Twitter conversation that JA3S cannot be used alone, it must be combined with JA3 to be more effective for detection or blacklisting.
It would also reduce the number of false positives when used as a pair. Also, if we only utilize the JA3 fingerprint, we would most likely see a steady amount of traffic with the majority of it being legitimate.
JA3 fingerprints can be useful in detecting malicious circumvention techniques.
Domain fronting disguises the actual destination of the client’s communication and reroutes it to a malicious site. From the firewall’s perspective, the HTTPS request appears to be going to a legitimate website when it is actually visiting a malicious site that should be blocked. JA3 and JA3S fingerprints can be used to determine the type of application (browser, email programs, software, etc.) before an SSL connection has been established.
Attackers use data exfiltration to perform unpermitted transfer of sensitive information from an organization to their server or system. Although the information is encrypted, it is still possible to determine if the client is communicating with a command and control server. JA3 fingerprints can be used to identify what kind of application it is (i.e. browser, malware, etc.) and this could be an advantage in the early detection of possible attackers.
Intrusion Detection Systems (IDS)
When an IDS is implemented in an organization, it can be beneficial to monitor and detect any suspicious activity that may occur. It is important to have IDSes within a network to prevent possible downtime.
Suricata is an open source threat detection engine that is capable of real time intrusion prevention, intrusion detection, network security monitoring and offline pcap processing. Suricata supports JA3 and can be enabled in the Suricata configuration. According to Suricata, if the rules are alerting too frequently then they can be disabled in Suricata-Update.
There are two main types of machine learning training methods: supervised and unsupervised. Supervised learning is when we have prior knowledge of what the expected output should be. Unsupervised learning is when the algorithm does not have prior knowledge of the expected output and should learn how to determine patterns based on the data provided.
A decision tree, which is a supervised algorithm, will use the values of the field that are needed to create a JA3 and JA3S fingerprint to see if machine learning can be used to create a detection system.
JA3 and JA3S are two methodologies that could be additional features that may be used in security monitoring. They could be helpful to determine whether the client is benign or not regardless of the communication. JA3 fingerprints itself may not be as useful and may generate a lot of false positives in alerts if used in tools such as Suricata. If there was more research in JA3-JA3S pairs, then I believe that these fingerprints could be useful in security monitoring in a real-world network. This method may be able to help with monitoring encrypted communications.
Want to keep up to date with all the latest cybersecurity news and guides? Subscribe to our newsletter in the footer below.