October 27, 2023

How to monitor encrypted traffic in Sycope?

Due to the prevalence of encrypted traffic in organizations, monitoring it as a technique can be particularly advantageous.

Cyber Threat Intelligence is a fundamental functionality in Network Security Monitoring systems that enables the detection of suspicious activities based on reputation indicators of compromise. These indicators may include IP addresses, hostnames, URLs, file hashes, geolocations (ASNs, countries), e-mail accounts, user agents, and many others. Among the commonly used indicators, one deserves special attention: JA3 TLS fingerprint. JA3 is a tool for fingerprinting TLS connections based on options specified during the negotiation of TLS sessions. Based on these fingerprints, specific applications as well as malware can be detected.

This method is especially useful, as most traffic in organizations is typically encrypted, meaning that network packet analysis systems such as IPS are strongly limited without traffic decryption. Numerous IoCs with malicious TLS fingerprints, such as https://sslbl.abuse.ch/ja3-fingerprints/, can be found on the Internet.

JA3 fingerprints are available to customers who have purchased the Performance license of the Sycope NSM system.

Figure 1. Example of enriching NetFlow with JA3 fingerprints

In Sycope NSM there is a build-in rule to detect malicious JA3 fingerprints, but below is a simple query to discover this activity.

Figure 2. Example of query to find malicious traffic based on JA3 fingerprints.
Figure 3. Example of lookup with suspicious JA3 fingerprints

Get a monthly dose of blog posts, tips and tricks

Sign-up for the newsletter and be updated about Sycope.

Sign-up for the newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.