Periodically, articles are published highlighting the difficulty authorities have investigating illegal activity on the Internet when the perpetrators make use of the anonymity that Tor provides.
Last week saw another such article appear in The Wall Street Journal, highlighting an operation that took down more than four hundred Web sites accessible only via Tor, which are essentially Tor “services”, arrested 17 people and confiscated plenty of Bitcoins associated with running these web sites. These web sites are referred to as “darknet marketplaces” and basically connect purveyors of illegal goods (e.g., drugs, guns) and services (e.g., contract killings) with people seeking these things. An August article in Wired spent more time detailing how the FBI goes about fighting the demand side of the problem – by infecting machines belonging to potential seekers of such goods and services via drive-by-downloads.
It’s easy to read such articles and come to the conclusion that Tor usage doesn’t really impact the security on an enterprise network. Unfortunately, as is true for any tools that anonymize the party using or supplying the service, there is an unending number of creative ways in which the bad guys have figured out how to utilize Tor. Given that covert channels of communication are useful for hiding command and control and exfiltration activity, it is no wonder that Tor usage is on the upswing in large-scale botnets as well as targeted attacks.
A July article in PCWorld highlighted an increasing use of Tor for botnet command and control. The reason bot herders make use of Tor is two-fold: (1) by implementing their command and control servers as a Tor service, they make it difficult for anyone trying to take down their botnet or even find where in the world it might be located and (2) by coding their malware to communicate via Tor, they make it difficult for organizations to block these channels with traditional approaches of blacklists of IP addresses or domains. An InfoWorld article in February highlighted malware targeting Android systems that used Tor for command and control. Search for “tor usage by malware” in your favorite search engine to compile your own list of articles covering skynet, 64-bit Zeus and other strains of malware that now communicate over Tor.
Some of these opportunistic malware strains have been used in targeted attacks. A September article in SecurityWeek highlights the potential use of a version of bifrose that communicates over Tor in such attacks.
Keeping an eye out for any Tor traffic leaving your network is a good security practice. While you may have some employees who legitimately want to connect to Web sites in their home countries while keeping their location and identity hidden, you should at least know about the Tor traffic and should carefully think about whether to allow it to continue.
We added outbound Tor detection into the Vectra X-series platform early on. Rather than relying on lists of Tor ingress IP addresses – and having to race to keep them constantly up to date – we built a behavioral model to look at series of connections being initiated by internal hosts in search of a pattern that is consistent with Tor usage.
We detect Tor usage as we feel you should be aware of it.
Watch a two-minute video to learn how Vectra works.
Oliver Tavakoli is chief technology officer at Vectra. Oliver is a technologist who has alternated between working for large and small companies throughout his 25-year career – he is clearly doing the latter right now. Prior to joining Vectra, Oliver spent more than seven years at Juniper as chief technical officer for the security business. Oliver joined Juniper as a result of its acquisition of Funk Software, where he was CTO and better known as developer #1 for Steel-Belted Radius. Prior to joining Funk Software, Oliver co-founded Trilogy Inc. and prior to that, he did stints at Novell, Fluent Machines and IBM. Oliver received an MS in mathematics and a BA in mathematics and computer science from the University of Tennessee.