User activity from Tor

Goal

Detect user activity from suspicious IPs, specifically the Tor anonymisation network.

This may highlight malicious activity that a user doesn’t want to be linked to their real IP address.

Strategy

Correlate traces tagged with a user with the Threat Intelligence qualification of their IP address.

Require the trace to be flagged, either by a user event or by an In-App WAF attack.

A Low signal is then generated.

Triage and response

  1. Investigate the activity and validate that it is legitimate.
  2. Review activity from Tor IPs (@threat_intel.ip:tor) to evaluate if you’re under attack.
  3. Consider blocking the user if the activity is suspicious.