Recently a service called Tor has been growing in popularity; it has even gotten media attention at times. Tor itself is a free anonymity project that was created to help spur on the free web movement. The project was initially released in September 2002. It has been nicknamed the anonymous internet because of the way the project functions; it helps in anonymizing the user. The project has even made the anonymization process much easier by creating a web browser, specifically built to utilize Tor, called the Tor Browser. Tor itself actually stands for The Onion Router, which was the project’s name originally. The name may seem odd at first; however, the name will make more sense as you read on.
General Explanation
So, those people new to Tor may be asking, how does it work? Here is a general explanation of the way Tor functions. A few items to note beforehand will be a Tor node and a Tor client. A Tor node is a fellow computer on the Tor network that will forward Tor traffic. Basically it receives the traffic and then pushes it to the next location specified. A Tor client is software capable of accessing the Tor network. Once a computer opens up a Tor client, it will allow that machine to create a randomly generated path through Tor nodes. The data is then transmitted through each node on that path until it finally reaches its destination. Each connection on that path is encrypted as well. This allows the data to be protected as well as the user since nobody would be able to trace the original source of the data. None of the nodes will actually know the full path. If an individual node is compromised, the data can’t be traced back to the origin.
Technical Explanation
For the technical explanation, the example will focus on the main computer called PC1. First, PC1 opens a Tor client which will obtain a list of possible Tor nodes. The Tor client will then generate a random path of nodes to traverse through. Each node in the “circuit” is only aware of the two nodes, the node it receives data from and the node it forwards the traffic to. This means that the more hops between nodes, the harder it is to trace back to the source. Not to mention the fact that data is encrypted, and the encryption changes between each transition. Not only is the data encrypted, but the header itself is stripped down and then encrypted as well to protect the source. Normally the header isn’t encrypted, so traffic analysis is done by analyzing the headers addressing information. These layers of encryption are what make it reminiscent of an onion. All of this is made possible by utilizing onion routing protocol, which is the basis for Tor.
Why?
So why was the Tor project developed? The Tor project was originally developed with good intentions. The original reason Tor was developed was to provide a sense of privacy and anonymity on the internet. This could be applied to journalists communicating from dangerous areas like conflict zones. The last thing you want in that scenario is someone eavesdropping on your network traffic. The original purpose of the Tor project was to prevent people from analyzing a targeted individual’s network traffic. A potential person could analyze your network traffic and determine your location, the sites you’re visiting, and possibly even the data you are transmitting. Network traffic analysis can be done by a government organization, an internet service provider, or even a malicious individual on the same network. Tor prevents this by utilizing encryption and bouncing traffic through random nodes in order to disguise your network traffic.
Cybercrime
Unfortunately, Tor has started being utilized by cybercriminals for cybercrime. They use the network to host command and control servers, ransomware payment systems, and much more. It’s also used for exfiltration of stolen data from victims. Tor has the ability to run hidden services on the Tor network, which is also utilized for cybercrime. Another side of the Tor network is that it allows you anonymous access to what people consider to be the Darknet, websites of questionable nature. These websites could be related to narcotics, illegal firearm sales, and other illegal or questionable activities.
The Solution: WatchPoint
So what does WatchPoint have to do with Tor? Cybercriminals tend to leverage Tor for cybercrime purposes. WatchPoint’s endpoint protection product, Carbon Black, has the ability to detect traffic to Tor nodes. Since Tor is not commonly used at businesses, it will trigger an alert. WatchPoint’s security experts will create an incident ticket and respond to the threat appropriately. They will isolate the host machine and then the experts will begin the process of remedying the situation. This prevents a cybercriminal from attempting exfiltration of data as well as connecting to a malicious Tor service or website.
