<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Peakhour.IO - SOC 2</title><link href="https://www.peakhour.io/" rel="alternate"></link><link href="https://www.peakhour.io/feeds/tag/soc-2.atom.xml" rel="self"></link><id>https://www.peakhour.io/</id><updated>2023-11-09T00:00:00+11:00</updated><entry><title>A Tale Of Two Scoring Systems</title><link href="https://www.peakhour.io/blog/a-tale-of-two-scoring-systems-and-atlassian-confluence/" rel="alternate"></link><published>2023-11-08T00:00:00+11:00</published><updated>2023-11-09T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-11-08:/blog/a-tale-of-two-scoring-systems-and-atlassian-confluence/</id><summary type="html">&lt;p&gt;Reviewing the CVSS an EPSS CVE scoring systems in light of the Atlassian Confluence-Aggedon&lt;/p&gt;</summary><content type="html">&lt;p&gt;When exploits started targeting Atlassian Confluence - CVE-2023-22515 and CVE-2023-22518 - I needed to understand the risk quickly. Confluence is widely deployed, including by Peakhour clients, so the immediate question was what practical advice we could give them.&lt;/p&gt;
&lt;p&gt;I started with &lt;a href="https://confluence.atlassian.com/security/cve-2023-22515-broken-access-control-vulnerability-in-confluence-data-center-and-server-1295682276.html"&gt;CVE-2023-22515&lt;/a&gt; and &lt;a href="https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html"&gt;CVE-2023-22518&lt;/a&gt;. These were not minor bugs. Attackers could create unauthorised admin accounts, which puts the confidentiality, integrity, and availability of Confluence data directly at risk.&lt;/p&gt;
&lt;p&gt;Paul from &lt;a href="https://www.securestack.com"&gt;Secure Stack&lt;/a&gt; has already done an excellent analysis of the situation and identified the likely &lt;a href="https://securestack.com/confluence-aggedon/"&gt;scope of the problem&lt;/a&gt;. It is worth reading for background; the timeline below is unashamedly lifted from that article.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;The Timeline So Far&lt;/strong&gt;&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;CVE-2023-22515 Impact Analysis:&lt;/strong&gt; This bug initially hit versions 8.0.x to 8.5.3 of Confluence Server and Data Center products. The cloud SaaS versions were spared. Given Confluence's use in large organisations that do not always update quickly, the scope was still large.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Dealing with CVE-2023-22518:&lt;/strong&gt; A week later, CVE-2023-22518 appeared. It started with a CVSS score of 9.1 and affected every single version of Confluence ever released. That put organisations outside the first CVE's affected range back in scope.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;The Severity Upgrade of CVE-2023-22518:&lt;/strong&gt; On November 7th, 2023, Atlassian raised the severity of CVE-2023-22518 to a CVSS score of 10. Ransomware exploitation had been detected and, like CVE-2023-22515, it allowed the creation of admin accounts.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h3&gt;Looking to EPSS for advice&lt;/h3&gt;
&lt;p&gt;For these CVEs, I leaned heavily on the &lt;a href="https://www.first.org/epss/"&gt;Exploit Prediction Scoring System (EPSS)&lt;/a&gt;. EPSS combines CVE information with real-world exploitation data. It estimates the likelihood of a CVE being exploited in the next 30 days and returns a score between 0 and 1 - the higher the score, the higher the risk. Read more about the applicability
of &lt;a href="/blog/epss-explained/"&gt;EPSS&lt;/a&gt; for scoring vulnerabilities.&lt;/p&gt;
&lt;h4&gt;EPSS Score Changes I Observed&lt;/h4&gt;
&lt;p&gt;A major update landed on October 10, 2023, when new &lt;a href="/products/ip-intelligence/"&gt;threat intelligence&lt;/a&gt; came in. The EPSS score for CVE-2023-22515 moved sharply after October 10th, indicating a higher threat level due to active exploitation.&lt;/p&gt;
&lt;p&gt;As seen in the descending date table:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Date&lt;/th&gt;
&lt;th&gt;EPSS Score&lt;/th&gt;
&lt;th&gt;Percentile&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;2023-10-13&lt;/td&gt;
&lt;td&gt;0.93527&lt;/td&gt;
&lt;td&gt;0.98809&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-10-12&lt;/td&gt;
&lt;td&gt;0.93527&lt;/td&gt;
&lt;td&gt;0.98809&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-10-11&lt;/td&gt;
&lt;td&gt;0.93527&lt;/td&gt;
&lt;td&gt;0.98808&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-10-10&lt;/td&gt;
&lt;td&gt;0.00126&lt;/td&gt;
&lt;td&gt;0.46728&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-10-09&lt;/td&gt;
&lt;td&gt;0.00126&lt;/td&gt;
&lt;td&gt;0.46716&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;CVE-2023-22518 was still moving, with a score change the day before publication:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Date&lt;/th&gt;
&lt;th&gt;EPSS Score&lt;/th&gt;
&lt;th&gt;Percentile&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;2023-11-08&lt;/td&gt;
&lt;td&gt;0.01852&lt;/td&gt;
&lt;td&gt;0.86954&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-11-07&lt;/td&gt;
&lt;td&gt;0.00061&lt;/td&gt;
&lt;td&gt;0.24385&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-11-06&lt;/td&gt;
&lt;td&gt;0.00054&lt;/td&gt;
&lt;td&gt;0.20098&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-11-05&lt;/td&gt;
&lt;td&gt;0.00054&lt;/td&gt;
&lt;td&gt;0.20099&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-11-03&lt;/td&gt;
&lt;td&gt;0.00054&lt;/td&gt;
&lt;td&gt;0.20098&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-11-02&lt;/td&gt;
&lt;td&gt;0.00043&lt;/td&gt;
&lt;td&gt;0.07260&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023-11-01&lt;/td&gt;
&lt;td&gt;0.00043&lt;/td&gt;
&lt;td&gt;0.07283&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;This table shows a significant increase in the EPSS score from November 1st to November 8th, indicating an escalating likelihood of exploitation.&lt;/p&gt;
&lt;h4&gt;Making Sense of the EPSS Score Changes&lt;/h4&gt;
&lt;p&gt;These shifts in EPSS scores tied in with Atlassian's vendor changelog reports:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;31 Oct 2023:&lt;/strong&gt; Atlassian's CISO sent an alert about significant data loss potential. No active exploits were reported yet, but the warning was clear.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;02 Nov 2023:&lt;/strong&gt; Critical information about the vulnerability was posted publicly, increasing the risk of exploitation.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;03 Nov 2023:&lt;/strong&gt; A customer reported an active exploit. That was a clear signal for anyone who had not patched.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;06 Nov 2023:&lt;/strong&gt; Several active exploits and ransomware uses were observed, leading to the CVSS score escalation for CVE-2023-22518.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;I also checked the &lt;a href="/blog/confluence-cvss-vectors/"&gt;CVSS&lt;/a&gt; scores. For CVE-2023-22515, it stood at a perfect 10.0. The EPSS score for CVE-2023-22518 also showed notable fluctuations, reflecting an increasing likelihood of exploitation.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;EPSS vs. CVSS in My Vulnerability Management Approach&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;I use EPSS as a gauge of exploitation probability. It is threat-focused, but it is not the whole picture. Asset accessibility, vulnerability type, and asset value also matter. I use EPSS alongside CVSS to get a clearer view of what we are dealing with. It is also useful to see how the CVSS scores map to EPSS severity.&lt;/p&gt;
&lt;p&gt;&lt;img alt="CVSS vs EPSS" src="/static/images/blog/cvss-epss-sankey.jpg"&gt;&lt;/p&gt;
&lt;h3&gt;Are Peakhour Clients Protected?&lt;/h3&gt;
&lt;p&gt;With the public exploit information in hand, I turned to ClickHouse to see what was happening in practice. We quickly observed active scanning. Our IP Reputation lists were also categorising those IPs, so clients using the lists correctly had another control to keep these requests away from exposed services.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;This is an active list of IPs we are seeing probing for CVE-2023-2215&lt;/strong&gt;&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Client IP&lt;/th&gt;
&lt;th&gt;IP Reputation Category&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;178.250.189.169&lt;/td&gt;
&lt;td&gt;hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;185.220.101.57&lt;/td&gt;
&lt;td&gt;other, dos, spam, attacks, tor, hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;193.187.172.73&lt;/td&gt;
&lt;td&gt;hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;45.134.26.2&lt;/td&gt;
&lt;td&gt;other&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;45.94.211.81&lt;/td&gt;
&lt;td&gt;hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;46.231.179.42&lt;/td&gt;
&lt;td&gt;datacenter, hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;46.38.255.27&lt;/td&gt;
&lt;td&gt;other, dos, spam, attacks, tor, hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;95.111.246.11&lt;/td&gt;
&lt;td&gt;datacenter, hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;95.85.78.75&lt;/td&gt;
&lt;td&gt;datacenter, hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;img alt="Graph" src="/static/images/blog/atlassian-scan-graph.png"&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;This is a larger list probing for already compromised instances&lt;/strong&gt;&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Client IP&lt;/th&gt;
&lt;th&gt;IP Reputation Categories&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;104.234.140.11&lt;/td&gt;
&lt;td&gt;webattacks, hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;104.234.140.21&lt;/td&gt;
&lt;td&gt;hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;104.234.140.4&lt;/td&gt;
&lt;td&gt;hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;104.234.140.8&lt;/td&gt;
&lt;td&gt;webattacks, hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;144.172.76.65&lt;/td&gt;
&lt;td&gt;hosting, datacenter, attacks&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;162.240.159.247&lt;/td&gt;
&lt;td&gt;hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;172.233.176.52&lt;/td&gt;
&lt;td&gt;hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;178.250.189.169&lt;/td&gt;
&lt;td&gt;hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;185.220.101.57&lt;/td&gt;
&lt;td&gt;other, dos, spam, attacks, tor, hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;193.187.172.73&lt;/td&gt;
&lt;td&gt;hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;193.29.56.19&lt;/td&gt;
&lt;td&gt;hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;20.68.177.203&lt;/td&gt;
&lt;td&gt;hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;203.145.142.86&lt;/td&gt;
&lt;td&gt;attacks, bots&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;37.221.173.253&lt;/td&gt;
&lt;td&gt;hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;45.134.26.2&lt;/td&gt;
&lt;td&gt;other&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;45.248.160.61&lt;/td&gt;
&lt;td&gt;bots&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;45.94.211.81&lt;/td&gt;
&lt;td&gt;hoisting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;46.231.179.42&lt;/td&gt;
&lt;td&gt;datacenter, hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;46.38.255.27&lt;/td&gt;
&lt;td&gt;other, dos, spam, attacks, tor, hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;54.161.151.64&lt;/td&gt;
&lt;td&gt;hosting, datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;92.119.179.90&lt;/td&gt;
&lt;td&gt;datacenter&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;95.111.246.11&lt;/td&gt;
&lt;td&gt;datacenter, hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;95.85.78.75&lt;/td&gt;
&lt;td&gt;datacenter, hosting&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;img alt="Graph" src="/static/images/blog/atlassian-scan-exploited-graph.png"&gt;&lt;/p&gt;
&lt;p&gt;This is where real-time threat intelligence earns its place in active security controls. It helps keep you under the radar and gives you early intelligence on the actors probing your applications.&lt;/p&gt;
&lt;p&gt;We also saw evidence of follow-up attacks after the scan.&lt;/p&gt;
&lt;p&gt;&lt;img alt="Waf Hits" src="/static/images/blog/confluence-waf-hits.png"&gt;&lt;/p&gt;
&lt;h3&gt;What other protections could be applied&lt;/h3&gt;
&lt;p&gt;Bot mitigation and web application firewalls (WAFs) still matter here. Bot controls help block automated abuse, including credential stuffing, scraping, and DDoS attacks. They also help distinguish legitimate human traffic from automated traffic, reducing the chance that malicious bots can exploit vulnerabilities still waiting to be patched or worked through the backlog.&lt;/p&gt;
&lt;p&gt;Web Application Firewalls provide a separate enforcement point for web applications. They monitor, filter, and block potentially harmful requests using predefined or customisable rules, including rules for common web-based attacks such as &lt;a href="/products/waf/"&gt;SQL injection&lt;/a&gt;, cross-site scripting (XSS), and other attacks that exploit known vulnerabilities. WAF rules can be adjusted quickly as threats change. Together, bot mitigation and WAFs improve an organisation's ability to reduce exposure across a wide range of web threats.&lt;/p&gt;
&lt;h3&gt;Addressing the Backlog of Security Vulnerabilities and Patch Timelines&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;The Challenge of a Growing Vulnerability Backlog&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Many security teams are dealing with a growing vulnerability backlog. The data is uncomfortable: 47% of security leaders report having a backlog of applications identified as vulnerable. More concerning, 66% state their backlog includes over 100,000 vulnerabilities. That accumulation matters because vulnerabilities are potential entry points for cyberattacks.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Patching Pace vs. Vulnerability Escalation&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Compare that with the escalation timeline from the EPSS and CVSS data. CVE-2023-22515 and CVE-2023-22518 are useful examples:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;CVE-2023-22515 and CVE-2023-22518 Escalation:&lt;/strong&gt; These vulnerabilities escalated quickly in severity and exploitability. For instance, CVE-2023-22518's CVSS score escalated to 10, and its EPSS probability score indicated a high likelihood of exploitation shortly after discovery.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Patch Timelines:&lt;/strong&gt; The data indicates that 78% of respondents take longer than 3 weeks to patch high-risk vulnerabilities, with 29% needing more than 5 weeks. That delay matters when vulnerabilities like CVE-2023-22515 and CVE-2023-22518 are escalating and being exploited quickly.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;strong&gt;The Gap Between Detection and Remediation&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;The gap between fast vulnerability escalation and slow patching is a real weakness in security defences. A rapid increase in EPSS scores for vulnerabilities like CVE-2023-22518 signals an immediate threat, yet many organisations still have a lengthy patching process. During that window, the risk of exploitation remains high.&lt;/p&gt;
&lt;h3&gt;If I could take one scoring system to an island, which would I take?&lt;/h3&gt;
&lt;p&gt;&lt;img alt="Island" src="/static/images/blog/guy-on-island.webp"&gt;&lt;/p&gt;
&lt;p&gt;Both the Exploit Prediction Scoring System (EPSS) and the Common Vulnerability Scoring System (CVSS) are useful, but they answer different questions. My preference leans towards EPSS because it states the likelihood of exploitation directly. A probability score is easier to act on when the question is what needs attention now.&lt;/p&gt;
&lt;p&gt;That direct approach makes EPSS useful when explaining urgency to both technical and non-technical staff. It avoids some of the translation work that comes with security jargon and helps teams prioritise vulnerabilities quickly.&lt;/p&gt;
&lt;p&gt;CVSS is still useful for understanding how critical a vulnerability is. It focuses on severity, including factors such as impact and exploitability. What it does not always show as plainly is the immediate threat level, and that is where EPSS is easier to use.&lt;/p&gt;
&lt;h3&gt;What next from here?&lt;/h3&gt;
&lt;p&gt;Viewed through Confluence-Ageddon, EPSS and CVSS are useful together, but they do different jobs. If you need immediate defence, reach out; we can help protect your self-hosted Confluence with a simple DNS change.&lt;/p&gt;</content><category term="Security"></category><category term="Credential Stuffing"></category><category term="Threat Detection"></category><category term="Account Protection"></category><category term="DevSecOps"></category><category term="SOC 2"></category></entry><entry><title>JA4 and JA4+ Network Fingerprinting</title><link href="https://www.peakhour.io/blog/overview-of-ja4-network-fingerprinting/" rel="alternate"></link><published>2023-10-25T13:00:00+11:00</published><updated>2023-10-25T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-10-25:/blog/overview-of-ja4-network-fingerprinting/</id><summary type="html">&lt;p&gt;How JA4 constructs a TLS client fingerprint, what JA4+ names, and which details sorting and hashing discard.&lt;/p&gt;</summary><content type="html">&lt;p&gt;JA4+ is the name FoxIO uses for a family of network fingerprinting methods. JA4 itself is the TLS ClientHello method. It
builds on lessons from JA3, but the wider family also contains separate methods for servers, HTTP, certificates, TCP,
SSH and other observations.&lt;/p&gt;
&lt;h2&gt;JA4 and JA4+&lt;/h2&gt;
&lt;p&gt;JA4 produces an &lt;code&gt;a_b_c&lt;/code&gt; value. Its readable &lt;code&gt;a&lt;/code&gt; section records selected connection properties and counts. The &lt;code&gt;b&lt;/code&gt; and
&lt;code&gt;c&lt;/code&gt; sections are truncated SHA-256 values derived from normalised ClientHello fields. Analysts can compare selected
components, such as &lt;code&gt;JA4_ac&lt;/code&gt;, when the complete fingerprint is too narrow for the question being asked. Other JA4+
methods have their own inputs and specifications; they should not be treated as extra fields inside core JA4.&lt;/p&gt;
&lt;p&gt;JA4+ consists of various components:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;JA4&lt;/strong&gt;: TLS Client&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4S&lt;/strong&gt;: TLS Server Response&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4H&lt;/strong&gt;: HTTP Client&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4L&lt;/strong&gt;: Light Distance/Location&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4X&lt;/strong&gt;: X509 TLS Certificate&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4SSH&lt;/strong&gt;: SSH Traffic&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For a more thorough breakdown, the &lt;a href="https://blog.foxio.io/ja4-network-fingerprinting-9376fe9ca637"&gt;JA4 blog&lt;/a&gt; provides
the announcement and describes the fingerprints.&lt;/p&gt;
&lt;p&gt;JA4+ brings useful improvements, but a few aspects and quirks deserve closer attention.&lt;/p&gt;
&lt;h2&gt;What sorting changes&lt;/h2&gt;
&lt;p&gt;JA4 sorts cipher identifiers and most extension identifiers before hashing them. This was especially useful after
Chrome began permuting TLS extension order. Sorting puts those permutations back into one cohort. It also discards the
order as evidence. That is the trade-off: a more stable identifier retains less information about how the ClientHello
was serialised.&lt;/p&gt;
&lt;p&gt;Where investigation matters, retain the raw JA4 form as well as the compact value. &lt;code&gt;JA4_r&lt;/code&gt; exposes the normalised
cipher, extension and signature-algorithm lists, which makes a difference easier to inspect.&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://www.peakhour.io/blog/tls-fingerprinting/"&gt;overview of TLS fingerprinting&lt;/a&gt; provides a more in-depth explanation of how a TLS signature is formed.&lt;/p&gt;
&lt;p&gt;Chrome's change was intended to stop servers and middleboxes from depending on one fixed extension order. In our
&lt;a href="/blog/tls-extension-randomisation/"&gt;extension-randomisation analysis&lt;/a&gt;, the number of order-sensitive TLS fingerprints
rose sharply after the rollout. Sorting reduced that artificial fragmentation. It did not make the resulting value a
client identity, and it did not preserve every distinction in the original handshake.&lt;/p&gt;
&lt;h2&gt;JA3 and Mercury took different paths&lt;/h2&gt;
&lt;p&gt;Before digging further into JA4+'s features and limitations, it helps to separate two related lineages. The
&lt;a href="https://github.com/salesforce/ja3"&gt;original JA3&lt;/a&gt; established a portable TLS fingerprint that was easy to share and
match. Cisco Mercury developed a richer protocol representation and a separate destination-context classification
system. Mercury is not a predecessor in the JA3-to-JA4 naming line. Our &lt;a href="/blog/two-lineages-tls-fingerprinting/"&gt;history of the two lineages&lt;/a&gt;
explains where their work overlaps and where it does not.&lt;/p&gt;
&lt;h2&gt;Implementation differences still matter&lt;/h2&gt;
&lt;p&gt;While sharing signatures through SHA is appealing, it has limits, most notably potential compatibility issues. As Fastly
&lt;a href="https://www.fastly.com/blog/the-state-of-tls-fingerprinting-whats-working-what-isnt-and-whats-next"&gt;noted&lt;/a&gt;, differences
in the implementation can be hidden behind the SHA hash, causing issues when searching for and correlating signatures
between different services. Record the implementation and version that generated a value; a shared format name does not
prove that two sensors handled every field identically.&lt;/p&gt;
&lt;h2&gt;Check the method, implementation and licence&lt;/h2&gt;
&lt;p&gt;The &lt;a href="https://github.com/FoxIO-LLC/ja4"&gt;official JA4+ repository&lt;/a&gt; contains the current specifications and implementations.
Check the licence for the individual method before adopting it: core JA4 is BSD-3-Clause, while most other JA4+ methods
use the FoxIO Licence and place additional conditions on commercial use.&lt;/p&gt;
&lt;p&gt;For a field-level example rather than a format summary, our &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;same-ClientHello lab&lt;/a&gt;
records JA3, JA4, &lt;code&gt;JA4_r&lt;/code&gt; and Mercury NPF output from one packet and pins the implementations that generated them.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="Fingerprinting"></category><category term="Browser Fingerprinting"></category><category term="TLS"></category><category term="SOC 2"></category><category term="Threat Detection"></category></entry><entry><title>ModSecurity’s End-of-Life</title><link href="https://www.peakhour.io/blog/modsecurity-eol-modern-application-security-platforms/" rel="alternate"></link><published>2023-10-16T13:00:00+11:00</published><updated>2023-10-16T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-10-16:/blog/modsecurity-eol-modern-application-security-platforms/</id><summary type="html">&lt;p&gt;ModSecurity's end-of-life marks a pivotal moment in application security evolution. Discover how modern Application Security Platforms are advancing beyond traditional WAF approaches to provide comprehensive protection for web applications and APIs at the edge.&lt;/p&gt;</summary><content type="html">&lt;p&gt;The end-of-life of ModSecurity on 1 July 2024 marks a practical turning point for application security teams. For DevOps, SRE, and &lt;a href="/learning/devsecops/what-is-devsecops/"&gt;DevSecOps&lt;/a&gt; professionals, it reinforces a wider shift towards Application Security Platforms that go beyond traditional Web Application Firewall (WAF) capabilities.&lt;/p&gt;
&lt;p&gt;Modern Application Security Platforms use Web &lt;a href="/learning/application-security/what-is-waap/"&gt;Application and&lt;/a&gt; API Protection (WAAP) as a core part of edge security. Peakhour's Application Security Platform extends traditional WAF protection with bot management, API security, DDoS mitigation, and account protection, backed by Peakhour Edge delivery infrastructure.&lt;/p&gt;
&lt;p&gt;The bedrock of a WAF lies in two main components:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;WAF Engine&lt;/strong&gt;: Inspects and assesses web traffic.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;WAF Rules&lt;/strong&gt;: Guidelines that tell the engine what to inspect and how to respond.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Peakhour's Application Security Platform has used ModSecurity as part of our WAAP solution, integrating it with threat detection, behavioural analysis, and the proven OWASP ModSecurity Core Rule Set (CRS) for application protection.&lt;/p&gt;
&lt;p&gt;For two decades, ModSecurity has been a fixture in web security. Its acquisition by Trustwave led
to a sunset announcement in 2021, with the EOL set for July 2024.&lt;/p&gt;
&lt;h2&gt;Deciphering the EOL for ModSecurity&lt;/h2&gt;
&lt;p&gt;With the EOL, Trustwave will cease commercial support and updates for ModSecurity. That does not make
ModSecurity irrelevant. It has been in 'maintenance mode', with Trustwave channelling its efforts
towards bug fixes and security patches.&lt;/p&gt;
&lt;p&gt;Despite this change, ModSecurity still has active community support. Tutorials and
discussions centred around ModSecurity and CRS continue to appear each month. Entities like Atomicorp have pledged to extend their support
to ModSecurity beyond its EOL, helping maintain its presence in the market.&lt;/p&gt;
&lt;p&gt;Other WAF engines are emerging as potential contenders. The &lt;a href="https://github.com/corazawaf/coraza"&gt;Coraza&lt;/a&gt; WAF engine, written in
Go, is gaining a place in the market. The &lt;a href="https://github.com/microsoft/ModSecurity"&gt;public Azure repository&lt;/a&gt; hosts
Microsoft's ModSecurity fork, while the Edg.IO repository highlights &lt;a href="https://github.com/edgio/waflz"&gt;Waflz&lt;/a&gt;, showing its role
in the WAF ecosystem.&lt;/p&gt;
&lt;p&gt;Recent players, such as &lt;a href="https://github.com/openappsec/openappsec"&gt;OpenAppSec&lt;/a&gt; by Checkpoint, are also entering the scene.
Positioned as an open-source ML-based WAF, OpenAppSec has publicly advised businesses to start their migration strategies
and views itself as a viable migration path.&lt;/p&gt;
&lt;h2&gt;Peakhour's Application Security Platform Evolution&lt;/h2&gt;
&lt;p&gt;The ModSecurity transition fits with Peakhour's move towards a broader Application Security Platform. Our approach covers:&lt;/p&gt;
&lt;h3&gt;Immediate Continuity&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Operational Continuity&lt;/strong&gt;: ModSecurity continues to function within our platform, supported by active community development&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;No Service Interruption&lt;/strong&gt;: Customers experience no service interruption as we implement next-generation capabilities&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Tighter Integration&lt;/strong&gt;: Existing ModSecurity capabilities are strengthened through integration with our threat detection systems&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Advanced Platform Development&lt;/h3&gt;
&lt;p&gt;Peakhour is implementing security technologies that extend beyond traditional WAF capabilities:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Machine Learning Integration&lt;/strong&gt;: AI-powered threat detection that adapts to emerging attack patterns&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Behavioural Analysis&lt;/strong&gt;: Algorithms that identify sophisticated threats including residential proxy attacks and anti-detect browser usage&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;API-Native Security&lt;/strong&gt;: Protection designed for modern API-first architectures&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Real-Time Threat Intelligence&lt;/strong&gt;: Dynamic rule updates based on global threat landscape analysis&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Future-Ready Architecture&lt;/h3&gt;
&lt;p&gt;Our Application Security Platform roadmap includes:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Multi-Engine Approach&lt;/strong&gt;: Evaluation of next-generation engines including Coraza, Waflz, and custom ML-based solutions&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Request-Path Protection&lt;/strong&gt;: Security processing at Peakhour Edge locations for performance&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="/learning/devsecops/what-is-devsecops/"&gt;DevSecOps Integration&lt;/a&gt;&lt;/strong&gt;: API-first architecture enabling integration with CI/CD pipelines and security automation&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Comprehensive WAAP&lt;/strong&gt;: Integration of WAF, API protection, bot management, and DDoS mitigation in a unified platform&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;The Future of Application Security&lt;/h2&gt;
&lt;p&gt;ModSecurity's end-of-life is more than a technical transition. It reflects the move from traditional point solutions to broader Application Security Platforms. For DevOps, SRE, and &lt;a href="/learning/devsecops/what-is-devsecops/"&gt;DevSecOps&lt;/a&gt; teams, this shift enables:&lt;/p&gt;
&lt;h3&gt;Enhanced Security Posture&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Unified Threat Protection&lt;/strong&gt;: Comprehensive WAAP capabilities that protect applications, APIs, and users through a single platform&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Advanced Threat Detection&lt;/strong&gt;: Machine learning and behavioural analysis that identify sophisticated attack vectors&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Real-Time Adaptation&lt;/strong&gt;: Dynamic security policies that evolve with the threat landscape&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Operational Excellence&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Performance Integration&lt;/strong&gt;: Security processing at the edge provides protection without compromising application performance&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="/learning/devsecops/what-is-devsecops/"&gt;DevSecOps&lt;/a&gt; Compatibility&lt;/strong&gt;: API-first architecture supports security automation and CI/CD integration&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Global Scalability&lt;/strong&gt;: Distributed protection that scales with application growth and user distribution&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Strategic Advantages&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Long-Term Investment&lt;/strong&gt;: Platform approach that evolves with emerging threats and technologies&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Comprehensive Coverage&lt;/strong&gt;: Single-pane-of-glass management for application security, performance, and availability&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Compliance Alignment&lt;/strong&gt;: Built-in reporting and monitoring capabilities that support regulatory requirements&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The transition from ModSecurity gives organisations a clear point to review and modernise their application security posture. By adopting Application Security Platforms, teams can improve protection whilst maintaining the performance and scalability required for modern applications.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;&lt;em&gt;Peakhour's Application Security Platform protects web applications and APIs with WAAP capabilities, delivery performance, bot management, and real-time threat intelligence. &lt;a href="/contact-sales/"&gt;Contact our security team&lt;/a&gt; to learn how we can support your application security posture whilst maintaining performance.&lt;/em&gt;&lt;/p&gt;</content><category term="Security"></category><category term="Application Security"></category><category term="DevSecOps"></category><category term="API Security"></category><category term="DDoS"></category><category term="Threat Detection"></category><category term="SOC 2"></category></entry></feed>