The Deep Web vs Network Security Monitoring

We have all heard the horror stories of the Deep Web. You know, the evil internet underground where cyber criminals and sexual predators lurk. Where boogiemen and anarchists trade secret coded messages through encrypted channels.

But is it really that bad?

Into the Void

The “Deep Web”, Dark Web or hidden internet, is a massive collection (some say up to 500 times the size of the regular internet) of sites and databases that don’t show up in standard search engines like Google. One of the easiest ways to connect to this network is via Tor, which ensures data encryption and anonymity. There are several Deep web search engines and portals that are only accessible through Tor. They have long cryptic names that usually end in “.onion”.

Does the dark web stand up to it’s dark side nomenclature? Absolutely! View any of the portal entrance menus and you’ll instantly know that you are not in Kansas anymore. Criminals, hitmen, drug dealers and others openly ply their trade. And don’t even bother putting normal “g-rated” terms into a Deep Web search engine. It most likely won’t find a response, or it will find a very deviant response for what you typed in.

So, is this a place that you want ANYONE on your corporate network to visit?


Though many use Tor for legitimate purposes, the deep web just isn’t that kind of place. But what can you do?

Enter Network Security Monitoring!

You do have a network monitoring system don’t you? If you don’t have a web proxy to control and block suspicious traffic, you can still use your network security monitoring system to catch Tor traffic.

As a test, I downloaded Talis, the Unix distro that comes all wired to run Tor out of the box. To it’s credit, it is one of the fastest tor implementations that I have seen by far. Surfing normal websites and searching with Google was relatively quick, not like the normal Tor use that I am used to on my Ubuntu or Windows systems.

I visited a couple of the “Deep Web” portals and even used the Torch search engine. Other than being painfully slow accessing these portals, I was actually able to find some legal material to use as a test! I grabbed some hardware “how-to” images and a couple goofy .pdf files.

I then pulled up my security server console to check to see if it caught anything:

It sure did! I received several alerts concerning my trip into the void. The traffic tripped several “known Tor node” rules. The Talis system IP address is listed along with the rule alerts. A security analyst monitoring this network could easily tell what corporate system was using the Tor network, and when they used it.

For further analysis, I grabbed the network packet capture for the session and imported it into my Netwitness Investigator program. It too detected the Tor traffic:

It didn’t throw an alert though, which I really thought it would. Suspicious traffic usually shows up at the top of Investigator, under “alerts”.

I did notice something else that did bother me. To be extra sure, I ran the packet capture through both Xplico, and Network Miner. The results from these backed up my initial findings.

There were no pictures… Or text documents…. Or pdf files… found in the packet capture.

As a matter of fact there was 0% detected unencrypted text. Yikes!

With just standard packet capture and detection, without SSL decryption, there would be no way to determine what was viewed or downloaded from the Tor network or worse the Deep Web.


The Tor network creates an encrypted channel from your system to the Tor onion routers. The data is then bounced around several servers and then unencrypted at the exit nodes, when the packets leave the Tor network. Though some businesses use Tor for legitimate purposes, most don’t use it at all. If your corporate users are accessing the Deep Web from work, then this could open up your network to a multitude of malicious threats. And if they are downloading questionable, illegal or copyrighted material this could put your corporation at legal risk.

Record and monitor ALL of your network traffic. This could help you detect issues before they become major problems. Block or monitor suspicious SSL traffic on your network. You may capture Bot command and control communication or someone using your network for less than legal purposes.

Security Onion Article Featured in Hakin9 Magazine

The latest Hakin9 Exploiting Software issue is out!

This month’s issue features my article on “Easy Network Security Monitoring with Security Onion“:

Hackers and the malware that they create are getting much better at evading anti-virus programs and firewalls. So how do you detect or even defend against these advanced threats? Intrusion Detection Systems monitor and analyze your network traffic for malicious threats. The problem is that they can be very difficult to configure and time consuming to install. Some take hours, days or even weeks to setup properly. The Security Onion IDS and Network Security Monitoring system changes all of that. Do you have 10 minutes? That is about how long it takes to setup and configure Security Onion – a Linux Security Distribution based on the Ubuntu (Xubuntu 10.04 actually) operating system.

And Craig Wright continues his series on creating shell code with this month’s article, “Understanding conditionals in shellcode“:

This article is going to follow from previous articles as well as going into some of the fundamentals that you will need in order to understand the shellcode creation process. In this article, we are looking at extending our knowledge of assembly and shellcoding. This is a precursor to the actual injection and hooking process to follow. You will investigate how you can determine code loops, the uses of loops as well as acting as an introduction into how you can reverse engineer assembly or shellcode into a higher level language and even pseudo-code, all of which forms an essential component of creating and executing one’s own exploit successfully. By gaining a deep understanding just how code works and to know where to find the fundamentals shellcode programming language we hope to take the reader from a novice to being able to create and deploy their own shellcode and exploits.

Also in this issue:

  • Creating a Fake Wi-Fi Hotspot to Capture Connected Users Information
  • Accurate Time Synchronization with NTP. Hardening your Cisco IOS Device
  • Penetration Testing Methodology in Japanese Company

Check it out!

Intro to Bro Network Security Monitor

Great impromptu intro video to the Bro Security Network Analysis Framework at Shmoocon by one of my favorite security authors/ speakers Richard Bejtlich.

Bro is an amazing tool that gives you a great summary of what is going on in your network. It creates text log files of connections, protocols, communications, and whatever else it sees on the wire. Check it out, this is good stuff. And I know I have been on a Security Onion kick again, but guess what? It comes installed by default in the open-source Security Onion IDS .

Just surf to your nsm/bro/ directory and check out all the log information created for you.

The Benefits of Network Security Monitoring (NSM)

Advanced threats are specifically made to bypass firewalls and intrusion detection systems, effectively killing defense in depth. So how do you battle these threats? Network Security Monitoring.

Several commercial and open source tools exist for Network Security Monitoring (NSM), so you will need to look around and find the one that works best for your needs. But nowadays you need a tool that records all the traffic coming in and out of your network and analyzes it for suspicious patterns or behaviors.

Security Onion is a great option for small to medium businesses (even home users) that need the power of NSM, but can’t afford a commercial solution. Security Onion comes pre-configured with a ton of intrusion and network security monitoring tools.

But for any NSM solution, you want one that:

  • Records all your traffic
  • Analyzes for suspicious behavior and patterns and warns you when they are detected
  • Provides complete packet captures
  • Provides an easy way to view and analyze captured packets
  • Keeps complete logs of all intrusions and suspicious behavior
  • Keeps a log of all websites visited, DNS lookups, ftp sessions, even chat and mail sessions.

Security Onion can do all of that and more. Plus you can have multiple sensors in multiple locations and have them all report back to a single Security Onion Install.

Why would you want multiple sensors? For any NSM install, you want to have a view of your network traffic at different locations in case the worst happens and you get compromised. You can place a sensor between your incoming data pipe and your main firewall. You can also place one between your firewall and Lan. That way you can see what was hitting your edge firewall and what made it through.

You can also place a sensor between the Lan switch and a single high priority machine. This way you can tell exactly what data was transferred to and from this machine in case of a breach. You need to analyze your network and see where the best places would be to institute monitoring.

Intruders will get in, it is just a fact of life now. The NSA came to this conclusion about network security in 2010.  Debora Plunkett, NSA’s director of the U.S. Information Assurance Directorate said, “There’s no such thing as ‘secure’ any more.  The most sophisticated adversaries are going to go unnoticed on our networks.  We have to build our systems on the assumption that adversaries will get in.  We have to, again, assume that all the components of our system are not safe, and make sure we’re adjusting accordingly.”

But you can monitor and hopefully catch them before the worse happens. Or in the event the worse happens, you will have a full forensics trail to follow to make sure that it doesn’t happen again.