Using JA3. Asking for a friend? presented at BSidesWashington 2019

by Justin Warner,

Summary : The number one question every single network detection person gets asked: how do you deal with encrypted traffic? Threat actors leverage encryption to obfuscate their activities, sneaking past the border guards in their enchanted cloak, leveraging legitimate certificates or even worse, legitimate services to operate their C2. In 2017, a method for fingerprinting SSL clients and servers was released titled JA3 and JA3s respectively and with their release, network detection engineers rejoiced. JA3/JA3S seeks to profile the client and server software involved in an SSL/TLS session through fingerprinting their “hello” messages and the involved cryptographic exchange. This method is not without its’ nuances and in our experience putting it to the use, the nuances are critical to understand. This talk will give insights into our challenges, failures and successes with JA3 and JA3S while sharing tips for those seeking to begin using it for network detection.