Security teams and IT managers face a continuous battle to stay aware of everything users are accessing from their corporate environments. Anonymous web browsing technology such as The Onion Router (Tor) makes this problem even more difficult. While non-work-related internet browsing (like checking social media, looking at pictures of cats, etc.) is harmless the majority of time, there are some cases in which businesses could become unknowing participants in criminal activity, that is, when users hide that activity via the Tor network or the Dark Net.
Tor is a piece of software that is designed to permit a user to anonymously browse the internet via a volunteer network of more than 5000 relays. There are indeed legitimate uses for this technology, such as providing internet access in repressively regulated countries. However, it’s often linked with illicit activity like child pornography, identity theft, money laundering, etc. Most administrators will want to ban their users from using the Tor network from within their organisations due to its association with disreputable activity.
Free eBook: Modern Retail Security Risk – Get your copy now.
Users browsing the Tor network from a corporate environment can unwittingly expose the company to hosting malicious/illegal content, ransomware infection, or unknowingly participating in other malicious activity. If users are browsing with Tor and they are looking at child pornography, then the company can be liable. Wired recently reported that 80% of visits to Tor hidden services relate to child pornography. Additionally, the notorious Silk Road online black market used mostly for buying and selling illegal drugs famously operated under the cover of Tor and was later taken down by the FBI.
Since the point of origin is almost impossible to determine conventionally, many bad actors leverage the Tor network to hide the location of Command & Control (CnC) servers, machines taking ransomware payments, etc. This makes identifying them and their malware that much harder.
And Tor is not only an open network that enables anonymity; it also provides anonymity for servers that can only be accessed through the Tor network, which are called hidden services.
Some websites allow accessing Tor hidden services through the Internet without being inside the Tor network. In that case, security managers will need to take corrective action and stay up to date with rules and techniques to help them detect when a system is accessing one of these services. Various families of malware are starting to use Tor to hide traffic and occlude the point of origin for communication with C&C servers. Adding correlation rules that group different IDS signatures to detect when a system is trying to resolve a malicious onion domain will be critical to prevent this malware from entering your network.
Since Tor itself is intended to be undetectable for the most part, deciding on policies or rules in advance in terms of business use is essential. It is also critical to train staff about the risks it poses. However, if you decide you want to actually block Tor, it is possible: https://www.torproject.org/docs/faq-abuse.html.en#Bans and/or https://www.torproject.org/projects/tordnsel.html.en.
Tor can be a useful tool in some cases; however, it does frequently get a bad reputation due to the associated nefarious activity. It is important to weigh these points when considering whether or not to allow the use of Tor on your network. Unless legitimate uses are known to your organisation, it would be best to limit its use because the reality is that more and more bad actors are using Tor and the related I2P for attacks, either to obfuscate the CnC communication and/or the makeup of their federated crime networks. So, when it comes down to it, a proper use case for business may need to be put forward, the and risks vs. benefits of using Tor must be assessed carefully.
By Garrett Gross, Senior Technical Manager, AlienVault
About AlienVault
AlienVault is the leading provider of Unified Security Management and crowd-sourced threat intelligence. Its products are designed and priced to ensure that mid-market organizations can effectively defend themselves against today’s advanced threats. By building the best open source security tools into one Unified Security Management platform, and then powering the platform with up-to-the-minute threat intelligence from AlienVault Labs and its Open Threat Exchange—the world’s largest crowd-sourced collaborative threat exchange—AlienVault provides its customers with a unified, simple and affordable solution for threat detection and compliance management.
While the perfect threat deflector shield has yet to be invented, AlienVault is able to provide its customers with an out-of-this-world threat detection product that ensures even the smallest ‘planets’ in the galaxy can fend off attackers.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.