Malware Detection with JA3 and osquery
Have you ever wondered how you can detect malware and other suspicious activity that uses TLS, without having to actually intercept or terminate the connection? JA3, a method to fingerprint the SSL/TLS client, is a great way to do that.
In this webinar, we will extend osquery to calculate a JA3 fingerprint for SSL/TLS clients and create an allowlist of allowed (known) clients. With the use of the osquery daemon, we'll monitor and detect when any malicious (i.e. non-allowlisted) client is active on our machine.
Sign up today and view this on-demand webinar!
Julian Wayte is a Security Solutions Engineer for Uptycs. In this role, he helps organizations architect security solutions - based on endpoint telemetry and automated workflows – in order to solve a variety of security use cases. Julian loves working with and teaching osquery. He has worked for 20 years in various customer facing, technical, IT roles helping organizations manage and secure their data.
What is osquery?
Osquery is a an open-source, cross-platform agent that turns your operating system into a virtual database, letting you leverage the power of the SQL language to ask anything from your system. Over 200 tables let you understand what processes are running, what users are logged in, where the machine is connected, what files are on disk and much, much more. Due to its flexibility and power, it makes an amazing tool for threat hunting, security monitoring, and even IT operations.
What is JA3?
A product of Salesforce engineering, JA3 is a method to profile the way server and clients do their SSL/ TLS handshake. See more here.
How can I get some additional osquery resources?
Head over to the osquery Resource Hub for the best training, engineering, and practitioner resources from all across the web!