These indicators may include IP addresses, hostnames, URLs, file hashes, geolocations (ASNs, countries), e-mail accounts, user agents, and many others. Among the commonly used indicators, one deserves special attention: JA3 TLS fingerprint. JA3 is a tool for fingerprinting TLS connections based on options specified during the negotiation of TLS sessions. Based on these fingerprints, specific applications as well as malware can be detected.
This method is especially useful, as most traffic in organizations is typically encrypted, meaning that network packet analysis systems such as IPS are strongly limited without traffic decryption. Numerous IoCs with malicious TLS fingerprints, such as https://sslbl.abuse.ch/ja3-fingerprints/, can be found on the Internet.
JA3 fingerprints are available to customers who have purchased the Performance license of the Sycope NSM system.
In Sycope NSM there is a build-in rule to detect malicious JA3 fingerprints, but below is a simple query to discover this activity.
FAQ
JA3 is a tool for fingerprinting TLS connections based on options specified during the negotiation of TLS sessions. It helps in detecting specific applications and malware.
JA3 fingerprinting is important because it allows detection of applications and malware in encrypted traffic, which is typically difficult to analyze without decryption.
Numerous Indicators of Compromise (IoCs) with malicious TLS fingerprints can be found online, such as at https://sslbl.abuse.ch/ja3-fingerprints/.
Yes, Sycope NSM provides a built-in rule to detect malicious JA3 fingerprints and offers JA3 fingerprints to customers with the Performance license.
JA3 fingerprints can be used to enrich NetFlow data and create queries to discover malicious activity in encrypted network traffic.
