Skip to main content

 

Splunk Lantern

Detecting software supply chain attacks

Scenario: Your organization develops software and you are responsible for threat hunting within it. You have become aware of the increasing frequency of software supply chain attacks which threaten your source codes, build processes, and update mechanisms by infecting legitimate apps to distribute malware. Detecting these attacks, however, is not easy - your organization uses a wide range of software, services, infrastructure and people within the development of your software, making it difficult to apply detection techniques across them. You are aware of the JA3 open-source methodology that allows for creating an MD5 hash of specific values found in the SSL/TLS handshake process. You also know that both JA3 and JA3s are easily obtained from network traffic using various tools. You want to leverage JA3/s hashes as a high fidelity data point to bring anomalous activity close to the forefront.

Prerequisites

To succeed in implementing this use case, you need the following dependencies, resources, and information.

How to use Splunk software for this use case

Depending on your environment, you might find it useful to identify some or all of the following: 

Results

It is highly probable that by using these searches, anomalous activity can be detected via abnormal JA3/s hashes. However, a number of factors that could affect the success. Therefore, these searches are most effectively run in the following circumstances:

  • with an allow list that limits the number of perceived false positives.
  • against network connectivity that is not encrypted over SSL/TLS. 
  • with internal hosts or netblocks that have limited outbound connectivity as a client. None of the searches will work effectively against internal source hosts used for general web browsing or hosts that routinely reach out to a multitude of external services via SSL/TLS sessions.
  • in networks without SSL/TLS interceptions or inspection. This is because SSL/TLS interceptions show different characteristics than the actual external server to the client making the request.

Additional resources

The content in this guide comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. In addition, these Splunk resources might help you understand and implement this use case:

  • Was this article helpful?