Connecting to Tor is done to hide illicit activities, either on purpose or automated by malware. The Tor Network is designed to offer anonymous Internet access to its users and can also be used to hide a Botnet Controller. Anonymous access could be a used as a means to subvert company usage policy or even engage in illicit activity. Since mid-2013, the Tor Network has been used by an increasing number of operators to hide communications with Botnet Controllers. If not initiated by an employee, then an infection is present within your network. An alert in this category should be investigated at all times.
Tor is free software for enabling anonymous communication. The name is derived from an acronym for the original software project name “The Onion Router”. Tor directs Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult for Internet activity to be traced back to the user: this includes “visits to Web sites, online posts, instant messages, and other communication forms”. Tor’s use is intended to protect the personal privacy of users, as well as their freedom and ability to conduct confidential communication by keeping their Internet activities from being monitored.
Risk management plays a critical role in protecting an organization’s information assets. Every organization should evaluate the risk and the impact that the usage of any new technology in its corporate network can have on its business. Tor is one of these tools that organizations should understand, to be aware of its associated risks and its benefits as well. While it is true that Tor can be used with the legitimate goal of anonymity on the internet, it can represent a gigantic problem for an organization: bypassing network security, connecting to criminal sites on the ‘darknet’ or ‘dark web’ (websites only accessible from within an anonymized network), involving the organization in criminal activities, exposing the corporate network to malware infections, etc. In this section, we will try to identify the main risks a company is exposed to when allowing Tor inside its network. The end goal from this analysis is to sensitize and to help companies in making appropriate decisions on whether to allow or not allow the use of Tor in their network.
Risk1: Exposes the organization to malware and botnet attacks: people operating one of the “exit nodes” can use the device to add malware. So, any user downloading through Tor exposes the organization network to malware infection. In addition to that, it’s important to know that criminals are starting to use Tor as a communication channel for malware (C&C).
Risk2: Exposes the organization to DDoS attack: having one or more computers operating as Tor nodes exposes the company to the risk of DDoS (Distributed Denial of Service: saturation of the network bandwidth, preventing others from using it). The fact that one or more corporate servers are relaying Tor network traffic can result in a high consummation of the corporate network bandwidth which makes the organization permanently exposed to a DDoS attack.
Risk3: Helps the employee to bypass security controls: the fact that Tor encrypts all the traffic over the network makes the monitoring of the network activities between the Tor node and the Internet very hard. This way, people can bypass the security policies and controls of the organization very easily. They can connect to illegal web sites, reach the darknet and purchase illegal goods and services, and steal sensitive data without anyone’s knowledge.
Risk4: Being the victim of information theft: Traffic can be sniffed at the exit node. People operating the exit node can monitor the traffic transiting through his device and then capture any non-encrypted (http, ftp, SMTP without TLS …) sensitive information such as, but not limited to, login/password. That being said, employees using Tor are exposed to the risk of seeing their data and the information belonging to their organization stolen, which can have a major impact on their business. This attack is also known as MiTM (Man in The Middle) attack.
Risk5: Negative impact on the organization’s reputation: organizations operating Tor nodes can be held responsible for others’ (illegal) activities. Thus they can face the possibility of serious criminal penalties if one of the nodes they are operating is discovered transporting illegal material (child porn) or performing illegal activities (hacking, DDoS attacks, spying, etc). This usually happens when you are operating an exit node, because it is the exit node’s IP that appears when the authorities start investigating the digital fingerprints of the crime.
Risk6: Blacklisting: setting up a Tor node inside a network runs a risk of an organization’s IP being added to an Internet blacklist, notably if the node is involved in illegal activities.
How can we know if an employee is using Tor on a corporate resource? How can we detect/block Tor inside a network? The truth is that detecting/blocking Tor is never an easy thing. The solution to this problem cannot purely rely on technology, but the combination of training and awareness, security policies, security best practices and technologies could be the best solution. Here are some of our recommendations:
- Stop user from installing Tor: Implementing security controls that limit user access rights to a computer will contribute to prevent the installation of unauthorized software or device. Controls on the USB ports should be applied to prevent running Tor pre-installed on a USB stick.
- Clear Policy on Tor Usage: make sure that the corporate security policies speak clearly about the use of the Tor bundle on corporate resources. At the same time, it’s important to communicate to the entire staff of the organization that using Tor over the corporate network is strictly prohibited and is considered as a major and punishable violation of security policy.
- Awareness and training: all the employees should be trained and aware of the risk related to the usage of the Tor in their corporate network.
- Develop a blacklist of Tor nodes: The idea here is to stop all the outbound traffic related to Tor at the border firewalls level by creating an explicit outbound deny rule based on the blacklisted IPs. In addition to that, this solution makes it possible to build a log of all hosts attempting to connect with the Tor nodes. The challenge with this solution is to get and to maintain the blacklist to remain relevant.
- Block all traffic using self-signed digital certificates: Tor is known as using self-generated SSL certificates (certificates not delivered by a recognized certificate authority) to encrypt traffic between nodes and servers. Blocking all the outbound SSL traffic that uses self signed SSL certificates across your network, which is part of the security best practices, can contribute to prevent the use of Tor. Web proxy services and WAF (Web Application Firewall) can be used for this purpose as they can stop all traffic using self-signed digital certificates. They can inspect traffic deeper and, regardless of the port, block traffic based on packet content.