Could your organisation be unknowingly open to the dangers of the Darknet?

IT managers and security teams face a never ending battle to make themselves aware of everything that users are accessing from their corporate environments. Making this problem even more difficult is anonymous web browsing technology such as The Onion Router (Tor).

While most of the time, non-work-related internet browsing is harmless, like looking at pictures of cats, online shopping, social media, etc, there are some instances where businesses could become unknowing and unwilling participants in criminal activity. That is, when users hide that activity via the Tor network, or the Dark Net.

Tor is a piece of software that is designed to allow a user to browse the internet anonymously via a volunteer network of more than 5000 relays. There are arguably legitimate uses for this technology, such as providing internet access in repressively regulated countries.

> See also: The 2015 cyber security roadmap

However, Tor is often associated with illicit activity like child pornography, selling illegal substances, identity theft, money laundering, and so on. Most administrators will want to prohibit their users from using the Tor network from within their organisations due to its association with nefarious activity.

Users browsing the Tor network (for illicit purposes or not) from a corporate environment can open up the company to hosting malicious/illegal content, ransomware infection, or unknowingly participating in other malicious activity.

If users are browsing with Tor and they are looking at child pornography, then the company may be liable. And Wired recently reported that 80% of visits to Tor hidden services relate to child pornography. In addition, the notorious Silk Road online black market used mostly for buying and selling illegal drugs famously operated under the cover of Tor and was later taken down by the FBI.

Since the point of origin is nearly impossible to determine with conventional means, many bad actors leverage the Tor network to hide the location of Command & Control (CnC) servers, machines taking ransomware payments, etc. This makes identifying them and their malware that much harder.

And because Tor is not only an open network that enables anonymity and allows users to surf the Internet anonymously, it also provides anonymity for servers that can only be accessed through the Tor network and are called hidden services.

There are some websites that allow accessing Tor hidden services through the Internet without being inside the Tor network. In that case, security managers will need to take corrective action and keep up to date with rules and techniques to help them detect when a system is accessing one of these services such as the malicious tor.ONION domain, a ‘top level domain’ suffix that is used for hidden services inside the Tor network.

Several families of malware are starting to use Tor to hide traffic and occlude the point of origin for communication with C&C servers. Adding correlation rules that group different IDS signatures to detect when a system is trying to resolve a malicious onion domain will be very important to keep this malware from entering your network.

Since Tor itself is designed to be undetectable for the most part, deciding on policies or rules in advance regarding the service when it comes to business use are crucial.  It is also critical to train staff about the risks it poses to businesses.

> See also: Is secure cloud the next step in the evolution of information security?

Having said that, while some nefarious activities are associated with Tor, there are still plenty of legitimate (and noble) uses. However, if you decide you want to actually block Tor, it is possible: https://www.torproject.org/docs/faq-abuse.html.en#Bans and/or https://www.torproject.org/projects/tordnsel.html.en

In summary, Tor can be a useful tool in some cases; however, it does often get a bad reputation due to the associated nefarious activity.  It is important to weigh up these points when considering whether or not to allow the use of Tor on your business network.

Unless legitimate uses are known to your organisation, it would be best to limit its use because the reality is that more and more bad actors are using Tor and the related I2P for attacks, either to obfuscate the CnC communication and/or the makeup of their federated crime networks. So, when it comes down to it, a proper use case for business may need to be put forward and risks vs benefits of using Tor will need to be assessed carefully.

Sourced from Garrett Gross, senior technical manager, AlienVault

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Malware