AWS TOR Activity

Triggers

• A credential was observed accessing the environment from a known anonymized (TOR) exit node.

Possible Root Causes

• An attacker is using an anonymizing proxy like TOR to obfuscate details of their source connection or make an investigation more difficult by using multiple source IP addresses.
• A user may be intentionally using TOR to circumvent restrictions preventing access to the resources in question, such as those applied by the country they are accessing from.

Business Impact

• Attackers identified under this detection are actively operating within the environment while maintaining some level of operational security by obfuscating their source details.
• Attackers operating using TOR will reduce the ability of teams to connect identified attacker behavior with other behaviors not yet identified since it enables the attacker to regularly change the source detail of their connections while undertaking operations within the environment.
• Authorized users that have adopted TOR may be in violation of IT Policies and be placing organizational assets at risk.

Steps to Verify

1. Review the actions being undertaken by the user after the identified activity and potential risk posed by that access
2. Review security policy to determine if the use of TOR is allowed.
3. Discuss with the user to determine if the use of TOR is known and legitimate.
4. If the review determines there is a high risk to data or the environment, disable the credentials and perform a comprehensive investigation.