Cyber Security professionals sometimes need to preserve their anonymity as well. When gathering threat intelligence from unofficial sources, it is best practice to operate in such a manner that the operator of the system hosting the intelligence cannot trace the collector back to their source. A malware author or a DDoS-as-a-Service operator could monitor visitors to their hosted information for instance and change tactics or even hide their services from being visible to the interested threat intelligence gatherer altogether. As an example, quite often malware hosting infrastructure servers block any connection from IP ranges belonging to certain targeted companies. The need for legitimate anonymous internet access becomes especially important when dealing with dynamic malware analysis systems such as Cuckoo sandboxes. These systems can optionally reach out to the internet when a first stage malware sample tries to connect to a server to download its second stage. These outgoing, so-called “dirty-lines” need to be untraceable otherwise the malware controller could learn their code is detected and is being analyzed and act. Traditional tools to preserve privacy and anonymity have mainly focused on rerouting the traffic via public nodes such as exit nodes on the TOR network or (usually paid) VPN services. This usually works quite well. VPN services have gained a lot in popularity since the media are covering privacy breaches by companies, hackers, and governments more and more. A user can sign up to a private VPN service such as NordVPN, IPVanish and PureVPN by paying a monthly or yearly fee (about 30 USD to 100 USD per year) although there are some free options as well. These services come with agents full of security features such as automatic blocking of network traffic if the VPN tunnel unexpectedly disconnects (to preserve privacy). Most providers also allow connections from other agents, such as the ones built into the users Operating System. Apart from the fact that that the use of private VPN’s is usually not free, there is another issue. Most of the providers of these services are well known or easily traceable. This can arouse some suspicion from the intended destination. Why would someone visit their server or website anonymously? Because of the increased popularity of private VPN services, however, this is becoming less and less suspicious. A final much discussed issue around private VPN providers and is that many claim their service is log-free (so no evidence is stored), but it has been proven that some providers to in fact keep logs and do provide these to authorities if required. This is not so much an issue for security researchers, but it is important to understand. The use of the TOR network is (only) slightly more complex, but it is free and much harder to trace. Because there is no central authority that governs any of the traffic (this is the principle behind the architecture of the network) traffic is virtually untraceable. This comes with an important issue, however. Any traffic coming from an exit node on the TOR network is highly suspicious, both for companies (that usually block or monitor such traffic) and for controllers of malware and botnet infrastructure. Many organizations will also have a policy against the use of the TOR network for employees, including their security staff. All these issues make TOR a less than the favorable option to preserve anonymity. With some (small) costs it is also possible to build a sandbox system inside a public cloud or to divert a “dirty line” via the cloud (with a VPN for instance). Law enforcement can request the associated logs from the cloud providers to identify the researcher, but considering the setup is to be used for legitimate work, this should not be an issue. Of course, for additional privacy, one can always connect to the cloud instance using a private VPN if needed. We looked at some of the complexities of preserving anonymity on the internet. The issue is not so much trying to hide one’s identity; it is doing so while not raising suspicions. Using cloud systems is a good and affordable way to avoid this, usually at little or no costs at all.
