Your organization develops software and you are responsible for threat hunting within it. You have become aware of the increasing frequency of software supply chain attacks which threaten your source codes, build processes, and update mechanisms by infecting legitimate apps to distribute malware. Detecting these attacks, however, is not easy - your organization uses a wide range of software, services, infrastructure and people within the development of your software, making it difficult to apply detection techniques across them. You are aware of the JA3 open-source methodology that allows for creating an MD5 hash of specific values found in the SSL/TLS handshake process. You also know that both JA3 and JA3s are easily obtained from network traffic using various tools. You want to leverage JA3/s hashes as a high fidelity data point to bring anomalous activity close to the forefront.
How to use Splunk software for this use case
Depending on your environment, you might find it useful to identify some or all of the following:
It is highly probable that by using these searches, anomalous activity can be detected via abnormal JA3/s hashes. However, a number of factors that could affect the success. Therefore, these searches are most effectively run in the following circumstances:
- with an allow list that limits the number of perceived false positives.
- against network connectivity that is not encrypted over SSL/TLS.
- with internal hosts or netblocks that have limited outbound connectivity as a client. None of the searches will work effectively against internal source hosts used for general web browsing or hosts that routinely reach out to a multitude of external services via SSL/TLS sessions.
- in networks without SSL/TLS interceptions or inspection. This is because SSL/TLS interceptions show different characteristics than the actual external server to the client making the request.
The content in this guide comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. In addition, these Splunk resources might help you understand and implement this use case:
- .Conf Talk: Hunting the known unknown - Software supply chain attacks
- Whitepaper: Detecting supply chain attacks
- GitHub: Hunting the known unknown -- Software supply chain attack
Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.