SOC analysts get 4,484 (average) alerts daily and can’t deal with 2/3 of them.
Read the 2023 State of Threat Detection Report
TOR Activity

TOR's ability to anonymize online activities makes it a tool for both legitimate privacy-conscious users and malicious actors. For businesses, the challenge is to balance the benefits of privacy and anonymity against the potential risks posed by anonymous traffic, often requiring advanced cybersecurity measures and constant vigilance.

What is TOR?

TOR, short for The Onion Router, is a free and open-source software for enabling anonymous communication. It directs Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays to conceal a user's location and usage from anyone conducting network surveillance or traffic analysis. TOR makes it more difficult to trace Internet activity to the user, including visits to websites, online posts, instant messages, and other communication forms.

Conceptual illustration of The Onion Router (TOR) network. The image visually represents the multi-layer encryption and the routing of internet traffic through various relay nodes, symbolizing the anonymity and privacy provided by TOR. The inclusion of a globe signifies the global reach and nature of the TOR network.
Conceptual illustration of The Onion Router (TOR) network.

Key aspects of TOR include:

  1. Anonymity: TOR helps users to hide their identity (IP address) and location, making it difficult for anyone to trace their internet activities back to them.
  2. Layered Encryption: Data sent over the TOR network is encrypted multiple times, similar to layers of an onion, which is where the name comes from. Each layer of encryption is peeled off at successive nodes in the network before reaching the final destination.
  3. Network of Relays: TOR routes internet traffic through a worldwide, volunteer-run network of servers or relays. This routing process, which involves passing encrypted data through at least three relays, makes it very difficult to track the source of the information or the identity of the user.
  4. Access to the Dark Web: TOR is known for facilitating access to the dark web, a part of the internet not indexed by standard search engines and often associated with anonymous and private activities.
  5. Use Cases: While TOR can be used for various legitimate purposes like protecting personal privacy, whistleblowing, and circumventing censorship, it has also gained notoriety for its use in accessing illegal services and content on the dark web.
  6. Performance Considerations: Due to its multi-layered encryption and relay routing, TOR can be slower than conventional internet browsing.

TOR represents a significant tool in the arsenal of internet privacy, offering an option for those who seek to maintain anonymity online, whether for personal security, journalistic purposes, or to circumvent restrictive censorship.

Why Attackers Use TOR

Attackers use TOR (The Onion Router) for several reasons, primarily due to the anonymity and privacy features it offers. Here's why TOR is appealing to attackers:

  1. Anonymity: TOR's primary feature is its ability to conceal a user's identity and location by routing internet traffic through multiple servers. This anonymity makes it difficult to trace malicious activities back to the attacker.
  2. Evading Detection and Blocking: Since TOR masks IP addresses, attackers can evade IP-based blocking and tracking mechanisms commonly used in cybersecurity defenses. It allows them to launch attacks from seemingly random and changing IP addresses.
  3. Accessing the Dark Web: TOR provides access to the dark web, a part of the internet not indexed by conventional search engines. The dark web hosts various illegal marketplaces and forums where attackers can exchange information, tools, and services related to cybercrime.
  4. Circumventing Censorship: Attackers operating in countries with strict internet censorship use TOR to bypass government restrictions and conduct their activities without attracting attention from law enforcement agencies.
  5. Command and Control Communications: TOR can be used for command and control (C&C) operations of malware. By running C&C servers over TOR, attackers make it challenging to identify and shut down these servers.
  6. Deploying Malware and Phishing Campaigns: Attackers use TOR to anonymously host malicious websites, including phishing sites, and to distribute malware without revealing their actual hosting location.
  7. Data Exfiltration: In corporate espionage or data theft scenarios, TOR can be used to exfiltrate data without revealing the source or destination of the stolen information.

It's important to note that while TOR is used by attackers for malicious purposes, the network itself is legal and has legitimate uses, such as protecting personal privacy, supporting freedom of speech, and enabling secure communication. Cybersecurity solutions have evolved to monitor and detect suspicious TOR traffic as part of a comprehensive security strategy.

Business Impact of a TOR Attack

  • Data Breach and Theft: Attackers using TOR can target businesses to steal sensitive data, intellectual property, or customer information without revealing their identity.
  • Reputation Damage: A successful attack can damage a business's reputation, leading to loss of customer trust and potentially severe financial consequences.
  • Regulatory and Compliance Risks: Businesses may face legal and regulatory consequences if a data breach occurs, especially if it involves sensitive customer data.
  • Operational Disruption: Cyberattacks through TOR can disrupt business operations, either directly (through denial-of-service attacks) or indirectly (by diverting resources to respond to the breach).
  • Increased Costs: Businesses may incur significant costs in responding to an attack, strengthening their cybersecurity posture, and compensating affected parties.

How to Detect TOR activities

  • An internal host establishes connections with outside servers where protocol usage approximates communicating via The Onion Router (TOR)
  • Vectra AI's algorithm inspects the protocol handshake of each session and triggers if characteristics of the session setup are similar to those observed in TOR connections

How to investigate TOR activities

  1. Ask the user of the host whether they are using TOR for any purpose
  2. Check to see if any TOR-enabled software is installed on the host
  3. Check the TOR entry nodes listed in the detection against lists of known TOR entry nodes (e.g., search for “tor entry node list”), but note that these lists are seldom complete and shift over time
White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections
Download
Vectra AI detections