External Threat Management Analyst

RiskIQ’s New JARM Feature Supercharges Incident Response

There will be many more breaches like the one of SolarWinds. 

Moving into 2021 and beyond, the ability to view your organization from the outside-in, as attackers do, will be the best defense against these internet-scale attacks by advanced APTs. FireEye and other security experts analyzing early information on SunBurst have said mass scanning and internet-scale data are critical to incident response efforts. This real-time global visibility shows security teams if their organization is affected and helps uncover attacker fingerprints on the network. 

RiskIQ is helping organizations respond to attacks like SunBurst with our Internet Intelligence Graph, built by mapping the Internet via over ten years of crawling and mass scanning. Our brand new JARM feature will help incident responders quickly query this graph, putting the world’s largest index of applications, components, and behaviors at their fingertips for a smarter, faster response.

JARM is an active Transport Layer Security (TLS) server fingerprinting tool. RiskIQ's JARM feature harnesses our mass scanning capabilities to find specific JARM fingerprints across the Internet to detect the presence of attacker-owned servers, such as SolarWinds and Cobalt Strike, on a global scale. 

JARM will instantly shrink the area of what incident responders have to search for once an attack takes place and tie together attacker infrastructure to help analysts understand the scope of a breach and block attacks. 

According to a blog by SalesForce engineering, JARM fingerprints can be used to:

  • Quickly verify that all servers in a group have the same TLS configuration.
  • Group disparate servers on the Internet by configuration, identifying that a server may belong to a certain threat actor.
  • Identify default applications or infrastructure.
  • Identify malware command and control infrastructure and other malicious servers on the Internet.

RiskIQ’s JARM scans are indexed and searchable in the 'Trackers' tab of PassiveTotal. 

Cobalt Strike is one of the most widely used threat emulation software packages used by infosec red teams, but exploitation techniques also make it a super useful tool for hackers. Below is an example of a JARM search for Cobalt Strike servers in RiskIQ PassiveTotal:

Querying Cobalt Strike servers in RiskIQ PassiveTotal

RiskIQ also supports searching by the 30-character first section of JARM hashes representing the "Fuzzy" hash and the trailing 32 characters of the hashed extensions. In RiskIQ PassiveTotal, they're also shown in the 'Trackers' tab as JarmHash, JarmExtensionHash, and JarmFuzzyHash:

Querying Cobalt Strike hashes in RiskIQ PassiveTotal

PassiveTotal users can then pivot across our expansive Passive DNS data set to build out attacker infrastructure and advance their investigation:

Pivoting across Passive DNS to build out an investigation

Contact Us Today

The cybersecurity community is picking up the pieces from the SolarWinds hack, but we mustn't let our guard down. As we patch up our attack surfaces, we must look at the hack for what it is—not a one-off attack, but the dawning of a new age of internet-scale cyberthreats by advanced threat actors.

Contact us today to find out how RiskIQ can help you manage your attack surface with this critical threat at large, and Join the RiskIQ Community for threat intelligence and indicators across the global attack surface.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor