Triggers
- An internal host establishes connections with outside servers where protocol usage approximates communicating via The Onion Router (TOR)
- The algorithm inspects the protocol handshake of each session and triggers if characteristics of the session setup are similar to those observed in TOR connections
Possible Root Causes
- A targeted attack is utilizing TOR to hide communications with command and control servers or to exfiltrate your organization’s data
- An infected host which is part of a botnet is utilizing TOR to communicate with its command and control servers or to leak small amounts of stolen data
- A user is utilizing a TOR-enabled program to anonymously communicate with servers available on the Internet or ones available only through TOR
Business Impact
- The use of TOR as part of a targeted attack is meant to slip by most standard perimeter defenses and indicates attacker sophistication
- The use of TOR as part of a botnet is relatively rare and would indicate a more sophisticated botnet
- The intentional use of TOR by employees may be allowed, but it does represent significant risk as the intention of TOR is to mask traffic source and destination
Steps to Verify
- Ask the user of the host whether they are using TOR for any purpose
- Check to see if any TOR-enabled software is installed on the host
- Check the TOR entry nodes listed in the detection against lists of known TOR entry nodes (e.g., search for “tor entry node list”), but note that these lists are seldom complete and shift over time