Kjell Tore Fossbakk | HelseCERT

Publisert: 25.05.2019

Title talk: Detection Engineering- Passive TLS Fingerprinting

About Passive TLS Fingerprinting

TLS is increasingly being used by malware to secure network traffic. This limits the effect of network security monitoring techniques, which rely on deep packet inspection. TLS fingerprinting is a technique to identify a client application (or library) based on parameters in the TLS traffic. Salesforce publicized a new standardized technique in 2017: JA3. JA3 creates a fingerprint from a few selected parameters harvested from the unencrypted TLS handshake; the ClientHello (ja3) and the ServerHello (ja3s) packets.

HelseCERT has deployed its own sensor-network to detect cyberattacks. This talk will mainly address our experience in adopting JA3 into our detection capabilities. Can we trust the JA3 fingerprint? How does TLS1.3 affect JA3? What about other parameters from the TLS handshake? How accurate and unique is a JA3 fingerprint? How can we use JA3 in the future?

About Kjell Tore Fossbakk

Kjell Tore Fossbakk works at the Norwegian HealthCERT. He provides detection tools and capabilities to increase the Norwegian health care sector's ability to prevent, detect and handle major cyberattacks. Previously he worked in the Norwegian Armed Forces Computer Network Defence unit.