Introduction
In the realm of cybersecurity, the ability to identify and track malicious network traffic is paramount. One innovative technique that has emerged in recent years is the use of JA3 fingerprints. This method provides a unique way to profile and identify Transport Layer Security (TLS) handshakes. However, as with any security measure, threat actors have found ways to evade detection, one of which is JA3 randomization. This blog post aims to provide a comprehensive understanding of both JA3 and JA3 randomization.
What is JA3?
JA3 is a method of fingerprinting the TLS handshake. The TLS handshake is a process that occurs before the encryption of data between a client and a server. During this handshake, several values are exchanged in the clear, meaning they are not yet encrypted. These values include SSLVersion, Cipher, SSLExtension, EllipticCurve, and EllipticCurvePointFormat.
These values are used to form a JA3 hash, a unique identifier that can be used to profile and track network traffic. This hash can be easily generated and used to flag known tools or malware based on the specific TLS values they use during communication.
How JA3 Zeroes in on Attackers’ Tools
The Pyramid of Pain is a model used to determine the level of difficulty it will cause for an adversary to change the indicators associated with them and their campaign.
JA3 targets attackers’ tools, operates at the network level, focusing on SSL/TLS client hello packets. These packets often carry unique properties tied to specific malware families or threat actor tools.
JA3 generates an MD5 hash of the string formed by various SSL/TLS parameters, often unique to a specific threat. To evade JA3 fingerprinting, threat actors would need to significantly alter the malware’s code, a non-trivial task requiring considerable effort. This makes JA3 a formidable adversary in the fight against cyber threats, effectively inflicting significant ‘pain’ on the attackers as per the Pyramid of Pain.
How Does JA3 Work?
The JA3 fingerprinting process works by gathering the values from the Client Hello packet during the TLS handshake. These values are then concatenated in a specific order and hashed using the MD5 algorithm to create a 32-character string. This string, known as the JA3 hash, serves as a digital fingerprint for the client’s TLS handshake.
The respective fields are identified and arranged as per order specified in below JA3 string. Which is then hashed to form a md5sum. The arranged string is called JA3 full string and the md5 hash is called JA3 hash.
771,49196-49199-52393-49195-49199-52392-49162-49161-49171-49172-158-159-47-53-10-154-155-49170-49159,0-11-10-13-23-16-5-30-21,23-24-25,0-1-2
?
0223baf232f487d56e08c8340b21609c
The beauty of JA3 lies in its simplicity and effectiveness. Since the Client Hello packet is sent in the clear, the JA3 hash can be generated passively, without needing to decrypt any traffic. Furthermore, since the JA3 hash is based on the client’s TLS implementation, it can be used to identify specific clients or tools, even if they are hiding behind different IP addresses.
Applications of JA3
JA3 has a wide range of applications in the field of cybersecurity. It can be used for:
- Threat Hunting: By comparing network traffic against a database of known malicious JA3 hashes, security analysts can identify potential threats in their network.
- Incident Response: In the event of a security incident, JA3 can help analysts understand the nature of the threat and identify other systems that may have been compromised by the same tool or malware.
- Network Forensics: JA3 can aid in the investigation of past security incidents by helping analysts identify malicious traffic in network logs.
Evading JA3
In the realm of JA3 fingerprinting, evasion techniques such as randomization and impersonation are often employed by threat actors.
Randomization involves altering the SSL/TLS client hello packet parameters to generate different JA3 hashes, thereby evading signature-based detection systems.
On the other hand, impersonation involves mimicking the JA3 hashes of commonly used applications to blend malicious traffic with legitimate traffic.
These techniques highlight the importance of a comprehensive and multi-layered security approach, as relying solely on JA3 fingerprinting may not be sufficient to detect sophisticated threats.
JA3 Randomization in BreakingPoint
JA3 fingerprinting technique is a very popular and widely accepted technique by networking community. Hence it is important to test network equipment resilience from JA3 evasion technique.
Keysight BreakingPoint ATI team have added support of generating randomized JA3 fingerprints from ATI 2024-12 StrikePack.
The users can enable this feature in “HTTPS Simulated” flows “Client Hello” action to achieve high fidelity JA3 signatures in their simulated traffic.
The BPS offers niche capability like mixing randomized JA3 traffic with thousands of other applications traffics to make a real-world network traffic simulation that flows through your network equipment. For more details about Keysight BreakingPoint and to test your network equipment against the most updated network traffic available in the internet visit BreakingPoint.