Active and Passive methods of identifying encrypted traffic

Telesoft Telesoft

Why do we monitor encrypted traffic?

With the recent shift toward remote working there has been a significant increase in network activity across the public internet. Additionally, we continue to see more Internet of Things (IoT) devices being deployed and connected across the globe which, driven by the increasing demand for digital privacy, is often connected utilising TLSv1.3 as standard, resulting in encrypted web traffic rising further.

Studies show that around 85% of web traffic today is now encrypted, with encrypted traffic providing a way of communicating more safely and securely, with less risk to the end users’ details if an attacker gains access to these communications. But as encrypted traffic becomes an ever more common method of communication, we will almost certainly see the attacker’s utilisation of the encryption protocol increase too.

Reports show in 2020 there was a 260% increase in the use of encrypted traffic to “hide” attacks. For this reason, it is now more important than ever for organisations to have the capability to identify threats in encrypted traffic passing through their network.

Passive vs Active Monitoring

Detecting encrypted traffic comes in two forms, active and passive.

Active analysis and reconnaissance often requires a client to send some form of data to a location, actively communicating with a server or endpoint. Passive methods however, do not interact with any endpoint, and instead, it allows security teams to monitor what’s happening within a network, completely non-intrusively.

For both active and passive monitoring, there are a number of methods that can be utilised to monitor encrypted flows.

Passive Methods

  • JA3 & JA3s

JA3 fingerprinting is a method for creating SSL & TLS fingerprints. Developed by Salesforce, JA3 fingerprinting takes several key variables of a TLS Client Hello, assigns specific numbers to each of these variable, then concatenates the numbers into a string before creating a MD5 hash of this string. The MD5 hash can be checked against a public list of known JA3 fingerprints to see if this encrypted flow has been seen elsewhere or is known within the community. This is a completely non-intrusive method for identification of malicious activity within encrypted traffic and has seen wide success within the security industry.

Alongside JA3, JA3S has also been developed to provide more accurate results. JA3S utilises the same methodology as JA3, but it focuses on server-side identification which similarly fingerprints the Server Hello of clients connecting to the server. As with JA3 fingerprinting the Client Hello, JA3S takes a similar number of variables from the Server Hello, before concatenating the numbers in to a string and MD5 hashing the resulting string. The combination of JA3/JA3S fingerprints has yielded good results when monitoring encrypted traffic for malicious activity at scale.

Similarly, there is also HAASH. HASSH is a profiling method for SSH Clients and Servers, enabling the ability to detect and investigate attacks such as bruteforce and credential stuffing without just relying on threat intelligence around IP addresses. Alongside this, HASSH also contributes to detecting devices belonging to IoT core systems such as cameras, smart devices, and microphones which can be communicating unknowingly to a command-and-control server.

Active Methods

  • SSL/TLS Proxy
  • JARM

SSL/TLS proxy servers enable communications, including encrypted communications, to go through a proxy server that inherently accepts encrypted comms one end, decrypts & performs an operation in the middle, then re-encrypts and sends the traffic at the other side. One major downside seen in this method is that it is “not worth the risks that it introduces” (Will Dormann at Carnegie Mellon) and that it has been proven to slow down traffic as well as not properly validating certificates or forwarding any associated error conditions.

JARM is an active TLS server fingerprinting tool which is primarily used to identify applications, infrastructure, and malicious activity such as malware command and control infrastructure and other malicious servers on the internet. This fingerprinting method requires JARM to actively send 10 TLS Client Hello packets to a target entity, it then goes on to capture the attributes of the TLS Server Hello responses. These attributes are then hashed in a specific manner to produce the JARM fingerprint.

One of the key challenges faced when utilising active methods is the latency in which it introduces, making it a largely unviable solution when performing network monitoring at scale for network operators, where Quality of Experience (QoE) for the end-users is of high importance.

How does Telesoft provide visibility against encrypted communications?

Telesoft Technologies provides visibility in to encrypted traffic within enterprise and carrier-grade networks, using passive analysis technologies to identify both malicious and legitimate communications within a network.

The TDAC (Telesoft Data Analytics Capability) Platform takes advantage of OpenSource projects such as JA3/JA3S and HASSH to give insight into encrypted traffic monitored by the FlowProbe. . By utilising cutting edge FPGA technology our probes can accelerate the logic provided by such projects, achieving traffic monitoring rates of up to 400Gbps per 1U form factor, whilst maintaining unsampled visibility for L4-L7 network communications.

To find out more about how Telesoft’s passive encryption analysis can help protect your network from attacks, get in touch today. 

Related products