What is a TOR? How to safely manage risk | nFlo guide

What is a TOR network and how to protect a company from the dangers associated with it?

Write to us

In the digital world, there are technologies with a dual nature. On the one hand, they offer powerful capabilities and serve noble purposes, while on the other hand, in the wrong hands, they become a dangerous tool. To this category undoubtedly belongs the TOR network. For some, it is a symbol of freedom of speech, a tool for journalists, activists and citizens living under oppressive regimes to bypass censorship and remain anonymous. For others, especially in the corporate world, its name is almost synonymous with the “dark web,” cybercrime and uncontrolled activity.

From the perspective of a business leader, security director or IT manager, the issue is much simpler. Regardless of legitimate or ethical uses, the presence of traffic to and from TOR networks inside a company’s infrastructure is, in the vast majority of cases, a wake-up call. It can indicate that employees are deliberately bypassing security policies, that there is an active attempt to steal data, or, worst of all, the presence of malware on the network that uses TOR to communicate with its creators.

This guide aims to demystify the TOR network in a business context. We will objectively and thoroughly explain how the technology works, why it is so controversial, what real risks it poses to your organization and, most importantly, what practical steps you can and should take to effectively manage these risks.

What is the TOR network and why is it so controversial in the business world?

TOR, which is short for“The Onion Router” (literally:onion router), is a global, decentralized computer network whose main goal is to provide its users with almost complete anonymity. Its operation is based on the ingenious in its simplicity concept of “onion routing” (onion routing).

When a user wants to connect to a website via TOR, its software (the TOR browser) does not send a request directly to the target. Instead, it creates an encrypted, multi-layer “onion.” The query is first encrypted repeatedly, layer by layer, using the public keys of successive, randomly selected servers in the TOR network, called relays (relays). The packet thus prepared is then sent to the first relay in the chain. This one, using its private key, removes one outer layer of encryption and discovers the address of the next relay, to which it sends the packet on. This process is repeated several times. Each relay in the chain knows only the address of the previous and next node, but none of them simultaneously knows the original source and final destination of the communication. The last relay in the chain, called the “exit node” (exit node), removes the last layer of encryption and sends the original request to the destination website.

With this architecture, for the target website, the source of the traffic is the anonymous TOR exit node, not the user’s real IP address. In turn, to an external observer, such as an ISP, the traffic is visible only as an encrypted connection to the first TOR node. This makes it extremely difficult, though not impossible, to trace the entire path and link the user to his online activity.

The controversy in the business world stems from this very feature. Anonymity, which is a blessing for human rights advocates, is at the same time an ideal tool for cybercriminals. They use TOR to hide their identities when launching attacks, to host illegal markets in the “dark web,” and to manage their malware infrastructure (Command & Control servers), making it resistant to being located and blocked by law enforcement.

Does employee use of TOR always mean a threat to the company?

From a risk management perspective in a corporate environment, the answer to this question is almost always yes. With very few, tightly controlled exceptions, which we will discuss later, the use of TOR software by an employee on a corporate device and on the corporate network is a serious security breach and should be treated as a potential incident.

The reason is simple: the very essence of TOR is to deliberately bypass corporate control and monitoring mechanisms. Organizations invest heavily in firewalls, content filtering systems or network traffic analysis platforms to protect their infrastructure and data. An employee who launches a TOR browser creates an encrypted, anonymous tunnel that “breaks through” all these layers of defense. At that point, the security department loses any visibility and control over what the employee is doing online, what sites he or she is visiting and what data he or she is sending or downloading.

Even if an employee’s intentions are not malicious – for example, he or she just wants to browse the Internet privately during a break – his or her actions create a dangerous, unmanaged “dead end” in the company network. This opens the door to potential threats, and in the event of an incident, makes it significantly more difficult to analyze it and understand what really happened. For this reason, the vast majority of corporate security policies should outright prohibit the installation and use of this type of software.

What specific risks (e.g., data leakage, malware) are associated with traffic from TOR networks?

The presence of TOR traffic on a company’s network introduces a number of specific, very serious risks, which can be divided into two categories: risks associated with outbound traffic (when an employee connects to the TOR network) and inbound traffic (when someone from the TOR network tries to connect to our company).

Risks associated with outbound traffic:

  • Data Leakage (Data Exfiltration): This is the biggest threat. A malicious employee or someone whose computer has been infected with malware can use TOR to steal and anonymously transmit to the outside world the most valuable company data – customer databases, technical designs, financial strategies or intellectual property. The encrypted nature of the TOR tunnel means that data loss prevention (DLP) systems are often helpless to analyze and block such a leak.
  • Introduction of malware: An employee, using a TOR browser, can access sites in the “dark web” that harbor malware and unknowingly download a virus, Trojan or ransomware onto his or her computer. What’s more, the TOR network’s “exit nodes” themselves may be controlled by actors with hostile intentions, who may attempt to launch man-in-the-middle attacks on unencrypted connections and inject malicious code into them.

Inbound traffic risks:

  • Covert Command & Control (C2) channel: If there is already an infected computer inside a company’s network (e.g., as a result of a phishing attack), it can use TOR to establish a return connection to its management server, disguised as a “.onion” service. Such a communication channel is extremely difficult for standard security systems to detect and block, because the traffic looks like standard encrypted web traffic. This gives the attacker a permanent, invisible foothold inside the organization.
  • Anonymizing attacks on public services: Attackers can use the TOR network to launch attacks on a company’s publicly available services, such as a website or mail server. Using TOR allows them to hide their true IP address, making it much more difficult to block an attack and later attribute it to a specific source (attribution).

How do cybercriminals use TOR to attack corporate networks?

Cybercriminals have incorporated TOR into their permanent arsenal and use it in very specific phases of advanced attack campaigns. Rarely is TOR itself a tool for breaking through security, but it is a key element that allows attackers to hide their identities and maintain control of compromised infrastructure.

One of the main applications is hosting Command & Control (C2) infrastructure. Rather than placing their command servers on standard commercial hosts, where they can be easily identified and blocked, criminal groups often configure them as so-called “hidden services” (hidden services) on the TOR network, accessible at an address with the “.onion” suffix. This architecture provides them with a high level of anonymity and immunity from law enforcement. Malware installed on the victim’s network is programmed to connect to this hidden address in order to download commands and send back stolen data.

The second use is to anonymize offensive activities. Attackers, when conducting vulnerability scans on a company’s public systems or trying to exploit a known vulnerability, often route their traffic through the TOR network. As a result, the victim’s security system logs show a random IP address belonging to the TOR exit node as the source of the attack, rather than the attacker’s real address. This makes it difficult to analyze, block and any attempt to identify the attacker.

Finally, the TOR network is inextricably linked to the economy of cybercrime. It is in the illegal marketplaces in the “dark web,” accessible primarily through TOR, that stolen credentials, credit card numbers, zero-day exploits or ransomware-as-a-service are traded. Even if the company itself is not directly attacked through TOR, its stolen data can be sold and bought there.

Do legitimate business applications of TOR make practical sense?

While the main overtone is negative, it is fair to say that there are very niche, legitimate scenarios in which a company may want to use the TOR network. However, these are exceptional situations that must be handled in an extremely controlled manner.

One such use is to conduct competitive intelligence or market research. A business analyst, when visiting a competitor’s website, may want to hide the fact that traffic is coming from IP addresses belonging to his company. Using TOR allows anonymous collection of information without leaving any traces.

The second scenario is to test its own security from the perspective of an external, anonymous attacker. The security team may want to test how its publicly accessible systems look from the perspective of the TOR network and whether detection systems are able to correctly identify and alert on an attack attempt coming from that network.

However, it should be stressed that these are highly specialized activities that can only be carried out by authorized and risk-aware personnel (e.g., the security team), in dedicated, isolated positions from the rest of the network, and with explicit, documented management approval. For the overwhelming majority of ordinary employees, there is no legitimate business reason to use a TOR network on a company device.

What are the technical options for monitoring and blocking access to TOR networks?

Effective TOR risk management requires the implementation of appropriate technical controls. Fortunately, there are several proven and highly effective methods.

The simplest and most effective is to block traffic at the firewall level. The TOR project makes publicly available a list of IP addresses of all relays in its network (so-called guard, middle and exit nodes). These lists are regularly updated. A next-generation firewall (NGFW) administrator can subscribe to these lists (in the form of so-called “IP Reputation Feeds” or “Threat Intelligence Feeds”) and create a simple rule that blocks all network traffic – both inbound and outbound – to and from these known IP addresses. This is the first and most important line of defense.

A second method that complements blocking by IP address is traffic signature analysis (Deep Packet Inspection, DPI). Modern firewalls can analyze not only addresses, but also the characteristics of the traffic itself. The protocol used by TOR to establish connections has some unique characteristics that DPI systems are often able to recognize and block, even if the connection is routed to an as yet unknown new TOR node (a so-called bridge).

The third layer is DNS query monitoring. To find bridge addresses, TOR software often queries specific, known domains. Monitoring internal DNS servers for queries on these domains can be an early indicator that one of the computers on the network is trying to connect to the TOR network.

What security policies should a company implement in the context of anonymous networks?

Technology alone is not enough. It must be supported by clear, communicated and enforced organizational policies. The foundation is the Acceptable Use Policy (AUP). This document, which should be read and accepted by every employee, must explicitly and unambiguously prohibit the installation and use on company devices of any software designed to anonymize or bypass network security, including the TOR browser.

This policy should be supported by technical measures, such as an application control policy that prevents users with standard privileges from installing unauthorized software.

It is also extremely important to have a proper procedure in place as part of the Incident Response Plan. This plan should include a dedicated “playbook” in case TOR traffic is detected on the network. It must specify precisely what steps are to be taken – who is to be informed, how quickly the device in question is to be isolated, and what analytical steps are to be performed to check for compromise.

How is TOR different from a VPN and which solution is safer for business?

In discussions of anonymity and privacy, the TOR network is often confused with VPN (Virtual Private Network) services. However, these are two completely different technologies, with different goals and security profiles.

  • TOR is a decentralized, slow network run by volunteers with the overriding goal of anonymity, that is, hiding the user’s identity and location. Trust here is distributed and based on the assumption that most nodes in the network are not malicious.
  • A VPN is usually a centralized, high-speed commercial service whose main purpose is privacy and security of the connection, i.e. encrypting the traffic between the user’s device and the VPN server. It does not provide anonymity to the same extent as TOR – the VPN service provider knows who its client is and what its real IP address is. Trust here is consolidated and entrusted to one entity – the company providing the VPN service.

From a business perspective, the choice is clear. For corporate purposes, such as providing secure remote access for employees, the only acceptable solution is to deploy a managed, corporate VPN. It provides a fully controlled, encrypted and auditable communication channel to the company’s infrastructure. TOR is a tool designed for anonymization, not secure corporate access, and its use in this context is unacceptable.

How do you educate employees about the dangers of unauthorized software?

Effective defense against threats such as TOR relies not only on technical blockades, but also on building awareness among employees. The education program should go beyond a simple “must not”. It must explain “why it is not allowed.”

The most effective method is to present employees with realistic risk scenarios they can understand. They should be shown how installing one seemingly harmless “private Internet browsing” application can in practice create a “backdoor” in the company network through which ransomware can enter the company. Such an attack can lead to the encryption of their own files, paralyze the work of an entire department and, in extreme cases, cause their colleagues to lose their jobs as a result of the company’s financial losses.

Training should be conducted on an ongoing basis, in the form of short, engaging information campaigns rather than a one-time annual lecture. Test phishing campaigns and regular reminders of existing policies help to solidify desired habits and build a culture in which every employee feels responsible for the security of the entire organization.

What network monitoring tools help detect unwanted activity?

Detecting attempts to use TOR networks requires a multi-layered approach to monitoring. A next-generation firewall (NGFW) is the first line of defense, but should be complemented by other tools.

  • SIEM (Security Information and Event Management) systems: These are able to correlate events from multiple sources. For example, a SIEM can combine a log from a firewall about a blocked connection attempt to the IP address of a TOR node with an alert from an EDR system on a workstation that has detected the launch of an unusual process. Such a correlation creates an alert with much higher priority and credibility.
  • Network Detection and Response (NDR) platforms: These are tools that passively analyze all network traffic inside the infrastructure. They are particularly valuable in detecting covert C&C channels that may attempt to tunnel TOR traffic through allowed protocols such as HTTPS. NDR, by analyzing communication patterns and metadata, is able to identify such anomalies and alert on potential compromise.

Do next-generation firewalls effectively protect against threats from TOR?

Yes, next-generation firewalls (NGFWs) are a very effective and essential tool to protect against TOR network threats, but they are not a 100 percent solution and must be part of a broader defense strategy.

Their main strength is their ability to block traffic based on the reputation of IP addresses. By subscribing to constantly updated lists of known TOR network nodes, NGFW can effectively block the vast majority of connection attempts to and from that network. In addition, advanced packet inspection (DPI) and application identification features allow them to often recognize a distinctive TOR protocol signature and block it, even if it tries to use a non-standard port.

However, there are also limitations. The TOR network has mechanisms for “bridges,” or non-public entry nodes whose addresses are not on standard blocking lists. A user determined to bypass security may try to exploit these bridges. More importantly, if the attacker is already inside the network, he or she may try to tunnel TOR traffic through other permitted and encrypted protocols (e.g. HTTPS over port 443), which for simpler firewall configurations can be difficult to distinguish from legitimate traffic.

Therefore, while NGFW is an absolutely essential layer of defense, it must be complemented by other mechanisms, such as internal traffic monitoring (NDR) and endpoint protection (EDR), which together form an effective multi-layered defense strategy in depth.

How can nFlo’s cybersecurity services help protect your business from TOR network threats?

Successfully managing the risks associated with anonymizing networks such as TOR requires a comprehensive approach that combines advanced technology, well-defined policies and specialized expertise. At nFlo, we understand that protecting against these types of threats is not a matter of a single product, but the maturity of the entire security program.

Our portfolio of cyber security and IT infrastructure design services is designed to provide you with all the necessary elements to build a multi-layered defense:

  • Network Infrastructure Design and Management: We deploy and configure next-generation firewalls (NGFW) from leading vendors. We create precise security policies, including rules that block traffic to and from TOR networks based on the latest threat intelligence. We design a secure, segmented network architecture that limits the field of fire of a possible attack.
  • Audits and penetration testing: Our testing services help proactively identify whether there are uncontrolled exit points to the Internet on your network, whether employees are bypassing security policies, and whether the controls in place are effective in blocking attempts at unauthorized communications.
  • Implementing monitoring systems: We assist in the selection, implementation and configuration of SIEM and NDR systems that are capable of real-time detection of anomalies and suspicious connections, including those specific to TOR network activity.
  • Creating Policies and Procedures: We support our clients in creating robust management documents – from an Acceptable Use Policy that clearly defines the rules of network use, to detailed incident response procedures that will prepare your team for any eventuality.

Protecting against threats from anonymizing networks is a key component of a mature security strategy. Contact the experts at nFlo to discuss how we can help you implement a multi-layered defense system that effectively protects your network, data and reputation from the risks associated with uncontrolled traffic.

About the author:
Przemysław Widomski

Przemysław is an experienced sales professional with a wealth of experience in the IT industry, currently serving as a Key Account Manager at nFlo. His career demonstrates remarkable growth, transitioning from client advisory to managing key accounts in the fields of IT infrastructure and cybersecurity.

In his work, Przemysław is guided by principles of innovation, strategic thinking, and customer focus. His sales approach is rooted in a deep understanding of clients’ business needs and his ability to combine technical expertise with business acumen. He is known for building long-lasting client relationships and effectively identifying new business opportunities.

Przemysław has a particular interest in cybersecurity and innovative cloud solutions. He focuses on delivering advanced IT solutions that support clients’ digital transformation journeys. His specialization includes Network Security, New Business Development, and managing relationships with key accounts.

He is actively committed to personal and professional growth, regularly participating in industry conferences, training sessions, and workshops. Przemysław believes that the key to success in the fast-evolving IT world lies in continuous skill improvement, market trend analysis, and the ability to adapt to changing client needs and technologies.

Other articles by the author