HYAS Blog

Elevate Your Threat Hunting with JARM

Written by David Ratner | July 13, 2023

The Evolving Cyber Threat Landscape

We live in a world today where nefarious actors are well-organized, well-funded, and constantly evolving their techniques. It’s impossible to ensure that any and all attacks can be blocked at the organization’s four walls, and an experienced attacker may have evolved their tradecraft and approach to make it nearly flawless and incredibly difficult to track and attribute. However, they may not have been as experienced in the past – they may have made mistakes or left breadcrumbs behind during previous attacks or tradecraft buildup – and if you can build linkages between what has happened to what is happening, then you can accurately predict what will happen and move a cyber defense program from reactive to proactive. 

Tracing the Past, Anticipating the Future

All attacks today, whether based on malware or malware-less, utilize adversary infrastructure that was established and setup in advance for instructions and overall command-and-control. Even with only a single indicator of compromise (IOC), if you have the right data available, you can see the linkages and correlations not only to other IOCs related to past attacks but discover new IOCs that highlight infrastructure and attacks that have not yet been released or even weaponized.

Harnessing the Power of HYAS Insight

This is exactly what HYAS Insight does and why clients around the world utilize it as part of their critical processes for threat and fraud investigations. Part of the power of HYAS Insight comes from the bespoke, unique, and in some cases exclusive data that HYAS collects, and part of its power comes from how that data is organized into a graph database to build the linkages, connections, and correlations between different IOCs and infrastructure.

Need to speed up investigations? Learn:
How Anti-Human Trafficking Initiative Utilizes HYAS Insight-Saving Weeks of Investigation Time

HYAS research doesn’t only focus on how to make HYAS Insight easier to use; we’re also focused on what other data could enrich and contextualize existing intelligence, and how to build associations across that intelligence.

JARM: A Game-Changing Data Element

Today we’re thrilled to announce a brand-new feature in HYAS Insight which does exactly that – a new type of data that can be quickly and easily utilized by analysts and users of HYAS Insight to discover related infrastructure, map out the complete campaign architecture, and discover related IOCs even more quickly than before. It focuses on the use of JARM as an additional data element in the graph database.

Understanding the Mechanics: TLS and JARM

Before learning how JARM works, it’s important to understand how TLS works. TLS and its predecessor, SSL, are used to encrypt communication for both common connections like to a normal website and nefarious connections, as used by malware. To initiate a TLS session, a client will send a TLS Client Hello message following the TCP 3-way handshake. This packet and the way in which it is generated is dependent on packages and methods used when building the client application. The manner in which the server responds with a “Server Hello” response for any given Client Hello will vary based on a number of different factors – and the fact that it differs in different situations based on aspects of how the OS and libraries are put together and installed means that it can be used as a fingerprint of sorts.

JARM works by actively sending 10 TLS Client Hello packets to a target TLS server, capturing specific attributes of the TLS Server Hello responses, and hashing them together to form a JARM fingerprint. In simplistic terms, if two JARM fingerprints match, it is highly likely that the two servers were setup, installed, and configured in the same way, and thus likely by the same person or group. If one is known to be nefarious and owned/controlled by a bad actor group, the other most likely is as well.

The Value of the JARM Fingerprint

By including the JARM data and the ability to pivot on a JARM fingerprint in HYAS Insight, HYAS not only expands the mechanisms available to discover related infrastructure and IOCs but also implements a new entry point into the graph database and a new starting point for an investigation.

Speeding Up Investigations with JARM

With clients already saying that HYAS Insight speeds their investigations by a factor of three, the new capabilities exposed via the JARM fingerprint will only improve this metric.

Leveraging HYAS Insight’s Unique Data

HYAS Insight exposes its unique data, including the JARM fingerprint, as both a SaaS application as well as via a JSON API for integration into both commercial and proprietary systems for visualization, data enrichment, and other use cases. For more information, a demonstration, or to get access for a trial, please contact HYAS.

Happy hunting!

Are you ready to protect yourself in a more dangerous cyber landscape? Move your business forward with HYAS today.