Introducing JA4+ Support in Webscout: Elevating Threat Detection with Advanced Network Fingerprinting

Webscout

3 min read
Introducing JA4+ Support in Webscout: Elevating Threat Detection with Advanced Network Fingerprinting
Fiber optics. Credit: JJ Yingjjying

We are proud to announce that Webscout now supports JA4+, a suite of advanced network profiling techniques developed by FoxIO's John Althouse. Building upon the highly successful JA3 fingerprinting standard, JA4+ enhances our ability to detect threats, track adversaries, and make sense of network traffic at scale. This upgrade has already helped us to identify several late-stage breaches in critical infrastructure.

What is JA4+?

JA4+ is a comprehensive suite of network profiling and fingerprinting methods of various internet protocols. Building on the foundation of JA3, JA4+ provides more detailed and adaptable fingerprints that are both human- and machine-readable. This facilitates improved threat hunting and analysis by capturing intricate details of both client and server communications.

The JA4+ suite includes:

  • JA4: Focuses on TLS client fingerprinting, capturing details from the client's initial handshake in both TCP and QUIC protocols.
  • JA4S: Targets TLS server response fingerprinting, analyzing the server's response during the TLS handshake.
  • JA4H: Pertains to HTTP client fingerprinting, examining HTTP request headers to identify client characteristics.
  • JA4L: Measures client-to-server latency, providing insights into network performance and potential anomalies.
  • JA4X: Involves X.509 TLS certificate fingerprinting, aiding in the identification of specific certificates used in secure communications.
  • JA4SSH: Focuses on SSH traffic fingerprinting, analyzing SSH protocol details to identify clients and servers.
  • JA4T: Pertains to TCP client fingerprinting, capturing TCP options to identify operating system and device characteristics.
  • JA4TS: Targets TCP server response fingerprinting, analyzing the server's TCP response characteristics.
  • JA4TScan: A JA4t fingerprint based on active scanning.

Please refer to these sources for more in-depth presentations of the JA4+ fingerprint suite:

JA4+ Network Fingerprinting
TL;DR
John AlthouseJohn Althouse

The fingerprints are modular and extensible, allowing for tailored implementations based on specific security needs. The amount of applications is vast, including malware detection, session hijacking prevention, compliance automation, location tracking, and DDoS detection. More on that in the following section.

Benefits of JA4+

One of the most powerful features of the JA4+ suite is the base JA4 fingerprint and its ability to see through TLS-encrypted traffic by classifying and grouping deep protocol-specific variables. When combined, these variables generate a unique view into the client that initiated the encrypted session. This capability enhances our threat detection by providing granular insights into encrypted communications without decrypting the traffic.

For example:

  • The JA4 fingerprint of the Sliver malware is t13d190900_9dc949149365_97f8aa674fd9.
  • The JA4 fingerprint of Evilginx is t13d191000_9dc949149365_e7c285222651

These fingerprints enable us to identify and track specific malware variants and threat actors with much greater precision and granularity. Other use cases include scanning for malicious infrastructure, reverse shell detection, session hijacking prevention, compliance automation, location tracking, DDoS detection, and grouping of threat actors.

Webscout's Implementation

We have integrated the JA4+ suite into two key data collection sources:

  1. Honeypot Nodes: Our network of honeypot nodes now leverages JA4+ to capture detailed fingerprints of malicious actors interacting with these traps. These fingerprints are live and available for anyone to query on Webscout.io.
  2. Network Sensors: Our sensors that monitor netflow across various points on the internet have been upgraded with JA4+ capabilities. This enhancement allows us to analyze network traffic at scale, identifying anomalies and potential threats in real-time. Access to netflow fingerprints is reserved for paying customers and trusted partners.

Going Forward

We are currently collaborating with John Althouse on a refined JA4TScan fingerprint. This new implementation will be developed in Rust for performance and reliability and will be integrated into our internet-wide scanning once completed. This ongoing partnership ensures that we remain at the forefront of network fingerprinting technology.

Final Words

It is humbling to see Webscout among the organizations supporting JA4+, alongside industry leaders such as Censys, Cloudflare, and AWS. We extend our sincere gratitude to John Althouse for his invaluable contributions to the security community and for his continued support and feedback on our implementations. We encourage everyone to check out FoxIO to explore their offerings.

Thank you for your continued trust in Webscout.

— The Webscout Team