![]() ![]() ![]() In this blog post I'll be focusing on JA3 as it is gaining a lot of traction in the detecting Threat Actors -field of security. Point here is, there has always been methods to fingerprint your encryption, you just didn't know about it. It is obvious to me, they hire bunch of super-smart individuals and some of them MUST have found the fingerprinting and never telling us about it. What's missing from the list is the techniques used by various government agencies and proprietary systems. A really good presentation about history TLS/SSL fingerprinting can be found from DETECTION ENGINEERING: Passive TLS Fingerprinting Experience from adopting JA3, but to summarize it here: This fingerprint can be added to list of factors used to determine if you are who you say you are. The thing with TLS-encryption is, the way the encryption is implemented can be fingerprinted. We're getting there, about everything is encrypted. Early 2020 figures indicate, that the entire Internet is ~60% HTTPS, ~93% requests arriving to Google are using HTTPS instead of non-encrypted HTTP. An example of this would be The HTTPS-Only Standard by US Government. There are number of organizations and people (including Google, Edward Snowden and US Government) to encourage people to encrypt everything. Given that, there's always room for new options for identifing requests. There are known cases, where human will guide the bot trough and pass control to bot for it to continue its mischief. The only known effective method is to place a CAPTCHA for the user and make them pass it. A bot can be written to emulate human to pass the detection not to raise any concerns. When putting any regular user aside and concentrating on the malicious ones, things start to get tricky.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |