As cybercriminals become more adept at using encrypted data against targets, fingerprinting techniques can help detect and prevent attacks from succeeding. JA3 fingerprinting uses data exchanged between a client and a server during an encrypted session to create signatures. The signature can be compared to expected values for a given application, or to known signatures of hackers, providing an efficient solution to help thwart attacks.
Data Encryption and Hacking Today
Data encryption scrambles information both at rest and in transit. It’s designed to protect organizations from having their data intercepted, stolen or compromised. For users to access information, they need special keys to unlock and translate the encrypted material.
Unfortunately, hackers have become more adept at hiding malware within encrypted data. A recent study showed that nearly half of the world’s malware in 2020 was hidden in an encrypted data package. In Q2 of 2021 alone, over 90% of malware attacks were through encrypted data.
As more and more data is stored in the cloud, hackers are leveraging those platforms, piggybacking on entrusted transactions to attack businesses. And with so much traffic using the Transfer Layer Security (TLS) encryption as the standard, there are more pieces of code available that hackers can use to hide malicious payloads.
The COVID-19 pandemic also has meant more people are working from home, further exacerbating the risks. While about 80 percent of data is encrypted, the increasing use of personal devices, home networks and wireless connections adds to the vulnerability of valuable data.
TLS encryption has become the go-to defense for organizations that are sending or receiving application data – from HTTPS web servers, VoIP phone calls or other sources. However, hackers today are leveraging encrypted data in insidious ways.
Hackers can hide malware inside that encrypted TLS traffic and then have a vector to upload malicious files, issue instructions or steal data. The challenge comes in trying to detect that malicious information. When done well by hackers, the bad data is hard to distinguish from the good.
There are several less-than-ideal ways that have been tried to detect malware in TLS traffic. Using blocklists requires regular updating and could mean your protections are out of date. Inspections that require traffic to be decrypted, inspected and re-encrypted has other problems – added expense and latency, the risk of breaking trust, compliance issues and how to inspect traffic not sent using TLS.
JA3 Fingerprinting Explained
JA3 fingerprinting is an elegant solution to the issue of detecting malware in encrypted traffic. First introduced as a solution in 2017 by several Salesforce researchers, it has become a valuable method to assist in keeping your business protected.
The solution uses the handshake that occurs between a client and a server. During those handshakes there are multiple variables that need to be agreed upon, including the TLS version, TLS extension lengths, cipher suites, elliptical curve groups and elliptical curve point formats. These handshakes are converted into 32-character MD5 hashes, client-side and server-side JA3 fingerprints . With the JA3 fingerprints in hand, detection systems can get to work.
Threat detection tools can compare the JA3 fingerprints to the expected fingerprint for a given encrypted application, and also to known fingerprints of malicious hackers.
Defending Your Data
As hacking becomes more sophisticated, so too do the defenses. At NetQuest, we offer cybersecurity solutions with JA3 fingerprinting and other cutting-edge technologies to help detect and mitigate threats.
Our threat detection systems protect against threats on carrier networks, high-speed internet backbones and aggregated links alike. NetQuest gives you the visibility to find malicious threats and stop them before they can cause damage to your business.