• A user was observed accessing the environment from a known anonymized (TOR) exit node, post authentication.

Possible Root Causes

  • An attacker is using an anonymizing proxy like TOR to obfuscate details of their source connection or make investigation more difficult by using multiple source IP addresses.
  • A user may be intentionally using TOR to circumvent restrictions preventing access to the resources in question, such as those applied by the country they are accessing from.

Business Impact

  • Attackers identified under this detection are actively operating within the environment while maintaining some level of operational security by obfuscating their source details.
  • Attackers operating using TOR will reduce the ability of teams to connect identified attacker behavior with other behaviors not yet identified since it enables the attacker to regularly change the source detail of their connections while undertaking operations within the environment.

Steps to Verify

  1. Review the actions being undertaken by the user during and just before the identified activity to determine resources accessed and potential risk posed by that access.
  2. Review security policy to determine if use of TOR is allowed. • Discuss with user to determine if use of TOR is known and legitimate.
  3. If review determines there is a high risk to data or the environment, disable the account and perform a comprehensive investigation.