This section describes additional or recently added netconn metadata in Carbon Black EDR. It specifically describes TLS fingerprinting.

Overview of TLS Fingerprinting

Transport Layer Security (TLS) fingerprinting is a platform-independent method for creating TLS fingerprints that can easily be shared for improved threat intelligence. TLS fingerprints are properties of a netconn event for TCP connectivity only.

JA3 and JA3S are TLS fingerprinting methods. JA3 fingerprints how a client application communicates over TLS, and JA3S fingerprints the server response. Combined, they create a fingerprint of the cryptographic negotiation between client and server.

JA3, when used in combination with JA3S, is a useful method to fingerprint a TLS negotiation between client and server. When used in conjunction with a process hash, even greater fidelity can be achieved. For example, some Peer-to-Peer (P2P) client connections can be tracked via TLS fingerprinting. This can be used to correlate an application if the binary and/or process metadata has been changed to avoid more direct forms of identification. Additionally, commodity malware variants often re-use cryptographic information, resulting in a common JA3 hash across families.