JA4: Decoding Cyber Shadows
September 28, 2023 - Sara Jelen
In the ever-evolving world of cybersecurity, few individuals embody the spirit of innovation and exploration as profoundly as John Althouse. His journey, marked by curiosity and a passion for unraveling the intricacies of the digital world, began in the playful rebelliousness of a high school computer club, where the thrill was not in the access gained but in the journey to achieve it. This playful exploration laid the foundation for a career that would see John at the forefront of cybersecurity and threat hunting, developing pioneering tools and techniques to navigate and secure the cyber frontier.
John’s recent endeavors have been centered around threat hunting, with a focus on developing innovative network fingerprinting techniques, such as JA4+ , a successor to JA3, a TLS Client Fingerprinting standard, which has seen widespread adoption in the industry.
In this interview, John Althouse shares insights into his groundbreaking projects, his approach to threat hunting, and his vision for FoxIO , a technology innovations company he founded.
John’s journey is not just about the pursuit of innovative solutions but also about mentoring and inspiring the next generation of cybersecurity professionals. His story is a testament to the relentless pursuit of knowledge, the importance of staying relevant in a rapidly changing landscape, and the fulfillment derived from making the seemingly impossible, possible. Whether it’s exploring new domains for fingerprinting or addressing the most pressing cyber threats organizations face today, John Althouse continues to push the boundaries, challenging the status quo and shaping the future of cybersecurity.
Can you tell us about your journey and how you embarked on a career in cybersecurity and threat hunting?
*checks statute of limitations* Yes, I can!
John: When I was in high school, I was part of a “Computer Club.” We were really just a bunch of hacker kids inspired by Mitnick and 2600. We figured out ways of bypassing all of the security systems, developing our own tools and gaining access to every system in the school. What did we do with this limitless access? Change grades or attendance? We installed Counter-Strike on the central server so we could play from any computer. We used it to play video games. The goal was not the access or what we could do with it, it was the journey to get there.
We eventually told the school about the security issues and worked with them to develop solutions. We were fortunate that they treated it like a pentesting engagement, happily taking our feedback. You have to understand, it was a different time, when “cyber” meant something else and LAN parties were a thing. I sure wouldn’t do it now, but that was a fun start into the world of cyber security.
Your recent research seems to focus on threat hunting. Could you give us an overview of your latest findings or projects in this area?
John: My current project is JA4+, which is a suite of new network fingerprinting techniques. With it, we’ve been able to identify threat actor infrastructure, malware, session hijacking, bot traffic, malicious clients and access points, the lot.
JA3 was a success. What is the purpose of JA4?
John: A little background: JA3 is a TLS Client Fingerprinting standard released in 2017 by myself, Josh Atkins and Jeff Atkinson. JA3 allowed for the passive identification of client applications without the need to break TLS, this made it possible to detect TLS-based malware on the network. JA3/S was released a year later allowing for the fingerprinting of TLS connections between clients and servers, vastly increasing detection fidelity. JA3/S has been built into products including Greynoise, AWS, Cloudflare, Azure, Google, and many more.
In 2020 JARM, an active TLS server fingerprinting tool, was released by myself, Andrew Smart, RJ Nunnally, and Mike Brady. JARM also has wide adoption in the industry, built into products such as Hunt, runZero, Censys, Palo Alto Networks, Google and many more.
As these tools were never more than side projects and hack-a-thon efforts in a company that had other priorities, they unfortunately did not have the dedicated ownership necessary to support them over the years. As such, issues and pull requests would go unanswered and JA3’s value diminished. With it, the industry started pulling away from network analysis being the tip of the security spear and moved toward flow logs being good enough.
JA4+ brings new methods of fingerprinting for not just TLS but a ton of protocols with new methods being added regularly. There is now dedicated support to ensure the programs and methods are supported, updated, and feedback implemented. There will finally be a fingerprint database with curated data and API access. JA4+ allows for passive network detection of a wide range of threats, not just malware.
The purpose of JA4+ is to bring the sexy back to network security monitoring.
Threat hunting is an ever-evolving domain. How do you ensure your research remains relevant and effective amidst the rapidly changing cybersecurity landscape?
John: It is and has always been a cat and mouse game. There are always ways to get around particular detections and there are always ways to detect those workarounds. It’s just a matter of putting in the time and effort to find them.
What other things are you interested in fingerprinting?
John: Everywhere that there is a threat and a pattern to the noise, I am interested. The challenge is usually not in finding the pattern but in distilling the information down to an easily understandable and consumable fingerprint. One that an analyst can eyeball and say, “I know what that is.”
Next up I’ll be looking into active HTTP server fingerprinting, wireless devices, and IPv6. I also have an idea on how to fingerprint satellite communication, which will be fun to work on.
What is FoxIO and how does that fit into your vision?
John: FoxIO is a technology innovations company that I founded. This is where we come up with solutions to major industry problems and release them under the FoxIO License. It’s like a think tank where any idea is welcome, we then develop those ideas and license them.
The FoxIO License is a simple, human readable two page license that is permissive for most use cases including for internal business purposes, allowing organizations to utilize FoxIO innovations internally for free. It is not permissive for monetization, however. So if an organization wants to implement a FoxIO innovation into their product, they just need to purchase an OEM license from us. It is through the sale of these OEM licenses that FoxIO is able to continue operating and innovating.
What kind of things can these fingerprints be used for?
John: Microsoft has been seeing a lot of APT activity using SoftEther VPN and Google has been seeing a lot of session hijacking happening lately. Given that these companies are considered to be the best of the best and yet they’ve struggled with these items, I focused on them, working to develop solutions to these complex problems. That’s JA4+ and it works, able to identify all of these things.
What is the most interesting use case you didn’t expect for the fingerprints you’ve designed?
John: I never expected JARM to turn into a Hack The Box target. They had a tool called Jarmis that would scan a destination with JARM, report back the fingerprint and check it against a known-bad list. If known-bad, it would send a followup request to confirm. It is this followup request that 0xdf was able to exploit to gain root on the scanning system. It’s a really interesting read!
As a prominent figure in the cybersecurity community, how do you encourage and mentor aspiring professionals who wish to enter the field of threat hunting?
John: I try to respond to everyone who reaches out to me asking questions. The important thing to remember in threat hunting and detection is that there is always a way to identify the threats. There’s always a solution somewhere, it’s just a matter of finding it. Probably the most motivating sentence in my career was when a speaker at DEFCON, speaking about their latest red team tool, said, “and it can’t be detected.”
I give credit to W, who was the most influential mentor to how I approach problems. It’s a lot of his way of thinking that I try to pass on. If you know W, you know.
In your experience, what are some of the most significant cyber threats that organizations face today, and how does threat hunting play a role in mitigating these risks?
John: For most organizations, social engineering leading to cloud account takeovers is the primary threat. Sometimes the account is taken over by malware on the client system, stealing the session token. Sometimes the threat actor convinces the user to connect through a MitM box which steals the session token. Sometimes the threat actor utilizes a remote desktop program to watch or interact with the user’s machine.
In any case, hunting for fingerprints of C2 connections, non-approved applications, and unusual fingerprints, not just in corporate network logs but also in cloud application logs, can identify these threats allowing for mitigation and raising the barrier of entry for threat actors.
It’s impossible to be hack proof. But you can make it such a PitA that it’s not worth the effort.
Your career has spanned various roles, from research to technical leadership. How do you balance these different aspects, and what do you find most fulfilling about your work?
John: I enjoy both research and technical leadership. The best is when I can do both at the same time. Probably the most fun I’ve had in my career was in developing JARM with Andrew Smart, RJ Nunnally, and Mike Brady. We created an internal video on it that started with the seemingly impossible statement that, “JARM can detect threats before they happen.” Which sounds ridiculous but then at the end of the video, it was clear that this was actually possible. It is in making the seemingly impossible actually trivial and sharing those solutions with the world that I find most fulfilling.
What are your hobbies outside of technology innovation?
John: I volunteer as a race track instructor with BMW CCA and a driving instructor with Teen Street Survival. On the track, I sit in the passenger seat while my student drives at around 140 mph into turn one, helping them to develop their driving skills. With Street Survival, I sit in the passenger seat instructing my student through scary maneuvers like high speed emergency lane changes. And we keep doing them until they’re no longer scary. In both cases, the goal is to help people gain the skills that could one day save their lives, or lives of others.
I also like custom building computers, home automation, home theaters, I think I have too many hobbies.
Sara believes the human element is often at the core of all cybersecurity issues. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.It’s this perspective that brings a refreshing voice to her interviews.