Splunk’s white paper on using JA3 and JA3s hashes demonstrates an effective method to detect malicious activity on critical servers, particularly to combat supply chain attacks like SolarWinds. By leveraging network data and TLS fingerprinting via JA3/JA3s hashes—MD5 hashes of SSL/TLS handshake parameters—Splunk enables security teams to identify anomalous or previously unseen TLS client and server sessions that may indicate malicious communications. This approach, powered by tools like Zeek and integrated into Splunk’s analytics, provides high-fidelity detection of suspicious network behavior that traditional methods might miss, enhancing visibility and response capabilities against stealthy supply chain compromises.

Join for free to read