Presented at
BSidesDC 2019,
Oct. 27, 2019, 9 a.m.
(50 minutes).
The number one question every single network detection person gets asked: how do you deal with encrypted traffic? Threat actors leverage encryption to obfuscate their activities, sneaking past the border guards in their enchanted cloak, leveraging legitimate certificates or even worse, legitimate services to operate their C2. In 2017, a method for fingerprinting SSL clients and servers was released titled JA3 and JA3s respectively and with their release, network detection engineers rejoiced. JA3/JA3S seeks to profile the client and server software involved in an SSL/TLS session through fingerprinting their “hello” messages and the involved cryptographic exchange. This method is not without its’ nuances and in our experience putting it to the use, the nuances are critical to understand. This talk will give insights into our challenges, failures and successes with JA3 and JA3S while sharing tips for those seeking to begin using it for network detection.
Presenters:
-
Justin Warner
- Director, Applied Threat Research at Gigamon
Justin Warner (@sixdub) is the Director of Applied Threat Research at Gigamon where he leads a team of intelligence analysts, detection engineers, and security researchers who seek to dismantle a threat actors ability to impact their targets. Justin is an Air Force Academy graduate, former USAF Cyber Operations Officer, and has private sector experience in both blue and red team roles, preferring to use his evil skills for good. In his free time, he can be found climbing with his wife and daughter or volunteering in disaster response organizations, bringing a nerdy edge to the mix.
-
Ed Miles
- Senior Staff Security Engineer - Threat Intel at Gigamon
Ed Miles is a security researcher with Gigamon’s Applied Threat Research team, where he focuses on threat intelligence and malware analysis. Prior to Gigamon, Ed worked on developing security detection products from the ground up for a large enterprise, threat research at AV and other security vendors, and DFIR-focused consulting with companies up and down the Fortune 100. When he’s not working, he enjoys hiking with his wife, twins, and two dogs, playing DOTA2, and spinning drum n bass music.
Links:
Similar Presentations: