The Deep Web vs Network Security Monitoring
We have all heard the horror stories of the Deep Web. You know, the evil internet underground where cyber criminals and sexual predators lurk. Where boogiemen and anarchists trade secret coded messages through encrypted channels.
But is it really that bad?
Into the Void
The “Deep Web”, Dark Web or hidden internet, is a massive collection (some say up to 500 times the size of the regular internet) of sites and databases that don’t show up in standard search engines like Google. One of the easiest ways to connect to this network is via Tor, which ensures data encryption and anonymity. There are several Deep web search engines and portals that are only accessible through Tor. They have long cryptic names that usually end in “.onion”.
Does the dark web stand up to it’s dark side nomenclature? Absolutely! View any of the portal entrance menus and you’ll instantly know that you are not in Kansas anymore. Criminals, hitmen, drug dealers and others openly ply their trade. And don’t even bother putting normal “g-rated” terms into a Deep Web search engine. It most likely won’t find a response, or it will find a very deviant response for what you typed in.
So, is this a place that you want ANYONE on your corporate network to visit?
Though many use Tor for legitimate purposes, the deep web just isn’t that kind of place. But what can you do?
Enter Network Security Monitoring!
You do have a network monitoring system don’t you? If you don’t have a web proxy to control and block suspicious traffic, you can still use your network security monitoring system to catch Tor traffic.
As a test, I downloaded Talis, the Unix distro that comes all wired to run Tor out of the box. To it’s credit, it is one of the fastest tor implementations that I have seen by far. Surfing normal websites and searching with Google was relatively quick, not like the normal Tor use that I am used to on my Ubuntu or Windows systems.
I visited a couple of the “Deep Web” portals and even used the Torch search engine. Other than being painfully slow accessing these portals, I was actually able to find some legal material to use as a test! I grabbed some hardware “how-to” images and a couple goofy .pdf files.
I then pulled up my security server console to check to see if it caught anything:
It sure did! I received several alerts concerning my trip into the void. The traffic tripped several “known Tor node” rules. The Talis system IP address is listed along with the rule alerts. A security analyst monitoring this network could easily tell what corporate system was using the Tor network, and when they used it.
For further analysis, I grabbed the network packet capture for the session and imported it into my Netwitness Investigator program. It too detected the Tor traffic:
It didn’t throw an alert though, which I really thought it would. Suspicious traffic usually shows up at the top of Investigator, under “alerts”.
I did notice something else that did bother me. To be extra sure, I ran the packet capture through both Xplico, and Network Miner. The results from these backed up my initial findings.
There were no pictures… Or text documents…. Or pdf files… found in the packet capture.
As a matter of fact there was 0% detected unencrypted text. Yikes!
With just standard packet capture and detection, without SSL decryption, there would be no way to determine what was viewed or downloaded from the Tor network or worse the Deep Web.
The Tor network creates an encrypted channel from your system to the Tor onion routers. The data is then bounced around several servers and then unencrypted at the exit nodes, when the packets leave the Tor network. Though some businesses use Tor for legitimate purposes, most don’t use it at all. If your corporate users are accessing the Deep Web from work, then this could open up your network to a multitude of malicious threats. And if they are downloading questionable, illegal or copyrighted material this could put your corporation at legal risk.
Record and monitor ALL of your network traffic. This could help you detect issues before they become major problems. Block or monitor suspicious SSL traffic on your network. You may capture Bot command and control communication or someone using your network for less than legal purposes.