Detect Tor is added to Use Case Library, see the first reports from the field

Available through Use Case Library cloud platform, Detect Tor delivers a fusion of Machine Learning, Behavior Profiling and Active Discovery technology straight to your SIEM. This enables the highest possible accuracy on finding all Tor connections in any parts of organization’s infrastructure.

It is stated by recognized experts, such as CloudFlare, that 94% of Tor traffic is an M2M (machine-to-machine) and is very often malicious in its nature. Tor traffic also accounts for 18% of global world spam email according to Project Honey Pot. Yet, reality is that not all Tor traffic is malicious, millions of people worldwide use it to defend their privacy rights, so auto-blocking Tor is not a feasible solution! At the same time, Tor is also actively used for Ransomware and APT campaigns. Detect Tor enables you to tell the difference between a strange pattern and a real security incident by leveraging the tools you and thousands of organizations worldwide already have and trust for decades. A turn-key analytical content add-on by SOC Prime, it finds any Tor related connections and spots the assets involved, defines risk priority, identifies the threat behind and automatically alerts security specialists on such behavior.

SOC Prime Detect Tor has confirmed ‘kills’ in all Proof of Concepts to the date. This includes discovery of banking malware on accounting machines that bypassed traditional anti-virus techs and a RAT trojan on corporate administrator workstations. Another company has discovered security policy abuse by a number of users who used Tor to obscure communications of exchanging corporate confidential information. Detect Tor even helped to find a malicious insider who sent over 50 gigabytes of data over Tor network containing financial information and customer data.

While the cases above clearly illustrate how Tor network is abused for malicious purposes, we do not hold a view that Tor should be prohibited. Instead organizations must have Tor usage but its content under constant control. We do not support or provide tools for eavesdropping or privacy violation instruments.