Due to the prevalence of encrypted traffic in organizations, monitoring it as a technique can be particularly advantageous.
Cyber Threat Intelligence is a fundamental functionality in Network Security Monitoring systems that enables the detection of suspicious activities based on reputation indicators of compromise. These indicators may include IP addresses, hostnames, URLs, file hashes, geolocations (ASNs, countries), e-mail accounts, user agents, and many others. Among the commonly used indicators, one deserves special attention: JA3 TLS fingerprint. JA3 is a tool for fingerprinting TLS connections based on options specified during the negotiation of TLS sessions. Based on these fingerprints, specific applications as well as malware can be detected.
This method is especially useful, as most traffic in organizations is typically encrypted, meaning that network packet analysis systems such as IPS are strongly limited without traffic decryption. Numerous IoCs with malicious TLS fingerprints, such as https://sslbl.abuse.ch/ja3-fingerprints/, can be found on the Internet.
JA3 fingerprints are available to customers who have purchased the Performance license of the Sycope NSM system.
In Sycope NSM there is a build-in rule to detect malicious JA3 fingerprints, but below is a simple query to discover this activity.