Monitoring Anonymizing Networks (TOR/I2P) for Threat Intelligence

Disclaimer: Due to the prevalence of illegal material, specifically illegal images, we highly recommend only experienced researchers who understand the risks perform research in this area. Regardless of the experience of the investigator, disabling image loading or downloading should be the first step to prevent accidental exposure to this content. Laws in many countries do not distinguish between accidental and purposeful exposure to this content.Underground networks such as TOR and I2P can be likened to the BBS days of the 1980's and early 1990's, more technically sophisticated individuals are the predominate citizens. Many clones of services provided on the general internet are also available on the Darknet, from Ebay style sites to social media networks.The DarkWeb contains a wealth of threat intelligence ranging from large dumps of compromised credentials (usernames/passwords), data leaks, torrents, exploits, stolen credit card numbers, discussions about hacking tools, techniques, targets, and attacks. This information is scattered across TOR hidden services, I2P, and closed web forums. A number of projects are making great strides to map these uncharted waters, Harry71's SkunkWorks project, located at http://skunksworkedp2cg.onion/sites.html, the Onion Link List at http://uapn4ukzpeaoww54.onion/ and Anarchy: http://bdpuqvsqmphctrcs.onion/ are among some of the best for locating new and interesting sites for Security Researchers. These sites contain an index of many TOR hidden services as well as other relevant information such as banners, popularity and content categories.Security researchers may wish to consider the following before investigating on TOR/I2P:<ul><li>There is a cat and mouse game between those making these networks truly anonymous and those trying to identify users<ul><li>Tunneling connections through a high quality VPN service will add another layer of non-attribution</li></ul></li><li>Fake Personas might be needed to gain access to some of these sites and these personas will need to contribute to the forums on a regular basis to maintain access<ul><li>Carefully contribute without encouraging or participating</li></ul></li><li>Bitcoin is the common currency<ul><li>Buying access to forums and data should be part of the equation</li><li>Even a small bitcoin budget will have big returns</li></ul></li><li>Collaboration is key; Sharing the intelligence collected will help us collectively map and understand the threats <ul><li>If we share data, this allows us to maintain a higher degree of anonymity by reducing researcher swarm</li></ul></li><li>Contributing to the networks by running TOR/I2P routing services (or exit notes, in the case of TOR) helps increase anonymity and helps new researchers understand more about how the network operates<ul><li>Running hidden services is an important educational tool </li><li>This level of participation enhances the health and legal use cases for the anonymous networks</li></ul></li></ul>In our experience, simple scripts can be used to assist with automation and analysis. For less experienced engineers, the Polipo proxy tool can help reduce the complexity around SOCKS Proxy's used on the TOR Network, and help intelligence researchers get up to speed quickly. TOR and I2P are important areas for any Threat Intelligence capability to review. Daily analysis will help organizations stay on top of the risks posed to their organization, supply chain and competitors.A couple examples of content retrieved from underground forums are in the screen shots below, a popular forum for sharing data breach and hacking related information. <a href="https://www.threatstream.com/images/uploads/Screen_Shot_2015-07-01_at_7.48.49_AM.png"><img alt="" src="https://cdn.filestackcontent.com/nON8a2TToG8ZEMoyw7ju" style="float: left;"/></a> <img alt="" src="https://cdn.filestackcontent.com/ohEvAPICQ4q80UHsoyMO"/>