The Cybersecurity Security and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an advisory for companies regarding the detection and mitigation of malicious traffic coming from Tor (The Onion Router.)
Tor is an anonymization software that works by encrypting and rerouting Internet traffic through various relays and nodes. While Tor has legitimate uses, for example as an anti-censorship tool, bad actors also use it to hide their trail. Organizations and states would have a tough time identifying an attacker or an APT using Tor.
Nonetheless, there are measures that companies and authorities can take to mitigate some possible risks and to help them determine if the traffic in their network infrastructure comes from such sources.
“Using an indicator-based approach, network defenders can leverage security information and event management (SIEM) tools and other log analysis platforms to flag suspicious activities involving the IP addresses of Tor exit nodes,” reads the advisory. This is made easier by the fact the Tor Project’s Exit List Service keeps a list of Tor exit node IP addresses.
This is just one way an organization can verify the provenance of Internet traffic. Other tools are available, and some are described in the advisory.
CISA and the FBI also list various mitigation procedures that could work, depending on the profile of the affected company. For example, it’s possible to block all web traffic to and from public Tor entry and exit nodes by default, but this is a very restrictive and conservative approach and can block legitimate traffic.
A less restrictive, but more labor-intensive, method would be to monitor, analyze and block web traffic to and from public Tor entry and exit nodes as needed. It takes more time, and it’s more challenging to achieve, but organizations would find it a much more flexible approach.
At the end of the day, companies and organizations have to determine how to best deal with the traffic from known Tor nodes. It the least they can do against less sophisticated attackers, who are still relying on the default channel of spreading malware.