Government officials are warning that Tor (The Onion Router) software is a double-edged sword.
On the surface, Tor is a great security resource.
The software allows users to browse the web anonymously through encryption and routing. This setup, managed by the Tor Project, promotes privacy and the free, democratic use of the internet.
But now, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI want cybersecurity professionals to watch out for this technology.
In a joint advisory, the government agencies explain how threat actors can use Tor to create a layer of anonymity and conceal malicious activity at different stages of network compromise.
The advisory includes examples of these stages, made possible through Tor:
These risks require careful network monitoring:
"The use of Tor in this context allows threat actors to remain anonymous, making it difficult for network defenders and authorities to perform system recovery and respond to cyberattacks. Organizations that do not take steps to block or monitor Tor traffic are at heightened risk of being targeted and exploited by threat actors hiding their identity and intentions using Tor."
According to the advisory, the best way to watch for Tor-based attacks is to search for early warning signs.
CISA and the FBI break it down through the stages of ATT&CK. This system helps to distinguish early attack indicators from those when an attack is already underway.
Here are the early warning ATT&CK signs:
And these are the ATT&CK underway indicators:
Staying aware of these stages can help organizations track and defend against Tor-based attacks.
But that's not all organizations can do to keep themselves safe, according to the advisory.
CISA and the FBI also include three levels of mitigation approaches to defending against these attacks:
Interested in more information about Tor-based cyberattacks? See the complete advisory here.