Threat hunting without decryption using JA4+ fingerprinting 

If you’re involved with cyber threat hunting, you may have heard about JA3 fingerprinting. In short, a JA3 fingerprint is a unique ID created from information sent by the client at the start of a TLS connection.  

It uses details like SSL version, cipher suites, and extensions, then hashes them into a 32-character string. And because it’s difficult to spoof, it’s commonly used to spot bots or malicious software more reliably than user-agent strings. 

However, the introduction of new protocols and changes in how applications negotiate encrypted traffic have exposed limitations in JA3 for threat hunting. 

Fortunately, JA4+ represents the next major advancement in network-traffic fingerprinting for threat hunting. JA3 concentrated on the TLS handshake, but JA4+ broadens the approach to capture a wider range of network-layer behaviours. This expanded scope gives analysts a fuller picture of network activity and improves the ability to spot advanced threats and sophisticated adversaries. 

As the creator (John Althouse) noted in an interview with Hunt.io, “There will finally be a fingerprint database with curated data and API access. JA4+ allows for passive network detection of a wide range of threats, not just malware.” 

And if you want to incorporate JA4+ fingerprinting into your security stack, our NetQuest Streaming Network Sensors can analyse encrypted traffic and generate JA4+ fingerprints, signatures, and heuristics.  

This accelerates threat detection, uncovers indicators of compromise, and reveals threats hiding in encrypted traffic without the cost or latency associated with decryption.