Image courtesy of IT Security Central

Throughout this series we have brought up darknet enabled insiders or professional insiders as some call them. These insiders are often armed with a series of tools that are accessible to anyone and barely require any knowledge of programming. Not that you have read about what happens on the Darknet it would be wise to understand more about what tools are used to access the Darknet and what to lookout for on your networks or employee devices. The first article in the series touched on this briefly while explaining the differences between the Darknet and the Clearnet. Now we will do a deeper dive into the tools so that as a manager you understand what is a threat to your organization. If you can understand what tools an insider threat uses then you will be better armed with information to identify a malicious insider threat. Let’s get started with the browsers themselves.

Darknet Gateways

People access the Darknet through overlay network browsers that are able to display hidden websites that are inaccessible from normal browsers. The intention is to maintain anonymity so with the browsers often come a suite of other tools that are used. Below you will find information about the two most popular which are Tor and I2P.


The Tor network is a more than a browser, it’s a distributed overlay network that is very well known to privacy advocates and the general public. Tor is also very accessible and requires no programming knowledge to set-up. The browser is able to be loaded from a computer or from a thumb drive which can make it challenging to identify with an insider if you don’t have strong media device policies established. The Tor netowrk is essentially packaged and ready to go for anyone.

Image courtesy of IT Security Central

The Tor browser was developed based on Firefox and to your average person walking by, it may appear that the user is working off of Firefox in just a glance. The Tor network is made up of a three core types of nodes: internal relays, directory servers, and exit relays. When someone opens the Tor browser the first thing the software does is download a list of relays available from a predetermined directory server. From there, the software determines a path through several relays to obscure traffic. More advanced users are able to change the directory server that Tor pulls from, but many people never do this. Tor does provide anonymity but the software was not optimized for it.

Tor is typically used by people who are looking to conduct regular activity anonymously. It’s also what an insider will likely use if they’re not a programmer of any sort. So expect this to be the likely program that your insiders will try to use to access the Darknet. In some cases working with your ISP you can identify if anyone has been using Tor on your network. However for advanced users there are ways that even ISPs are unable to detect, which include VPNs and Tor Bridges.


The next anonymous overlay network is called I2P which tends to attract more advanced Darknet users because it’s optimized for privacy. As a result of this optimization webpages and hidden services tend to load much faster on I2P over Tor. Additionally due to the inherent design there are less attacks that and surveillance vulnerabilities on I2P over Tor. The main drawbacks of I2P is that it’s less funded than Tor and thus is slower to update or be supported, additionally Tor has a much larger user base meaning there’s more anonymity as a result. Scaling is also not an issue for Tor where it’s an issue for I2P. Typically people who seek to use I2P are looking for more than just anonymous web surfing, they need their communications and activity to be absolutely private. Often some of the most advanced users of the Darknet are on I2P, which includes hackers Unless you have a really advanced user in your organization, your insiders will very likely be using only Tor to get set up.

Tails and USB Drive OS

As mentioned earlier, Tor or I2P can be loaded from a pen drive, so can entire operating systems. For Darknet users there is a go to Linux based operating system called Tails which can be booted from a pen drive. Tails as an operating system was designed to be used from removable media which includes DVDs and USB flash drives. The operating system does not interact in anyway with the computer’s original operating system.

Image courtesy of IT Security Central

What this essentially means is that if an insider has Tails on a USB stick then they could run it from on your company computers and never leave a trace what they were doing. Sadly this is not simply an operating system either. Tails comes with a built-in web browser, messaging client, email client, OpenOffice, and encryption tools. It basically comes with everything someone would need to work on sensitive documents without a trace. Due to this, the systems portability it can be taken anywhere and booted on any computer.

While the stress here is on Tails, there are many linux based USB operating systems out there. Tails is notable because it’s one of the most robust and popular systems out there when it comes to obscuring one’s identity and tracks. Anyone interested in the Darknet with even a slight association to Reddit will likely know about Tails. If you have a malicious insider in your organization who knows about Tails then you may have a lot of trouble identifying them.

One of the best ways to prevent Tails being used on your network is to set policies around removable media, and set technology in place that can detect suspicious behavior. There are some security solutions that can even notify you when someone inserts removable media into a computer and block the removable media as well.

Virtual Private Networks (VPN)

If you manage multiple computers and data on servers then you have a network at your organization, a private network. There are services out there that offer their private networks as a means of obscuring identity and traffic. When a user connects over a VPN their traffic is sent to a private network, and that data is then sent to the destination the user is trying to reach from the VPN. The user and many others appear under the same IP address this way. If an insider at your organization is using a VPN and it’s unrelated to their job or line of work then some eyebrows should be raised. Using a VPN combined with Tor could actually hide the fact that someone at your organization is using Tor in the first place. You’re able to find out though by understanding, normally privacy online starts with people using a VPN. There are literally hundreds of VPN clients. So try to work with your IT people to understand what to look out for on your network. For a detailed explanation about VPNs this post and image below from microsoft gives an in depth description.

Image courtesy of IT Security Central

Pretty Good Privacy (PGP)

We couldn’t end this article without mentioning the encryption tools themselves that an insider may use. PGP is software that carries out the specific purpose of encrypting communications. The software is the standard right now when it comes to encryption since it uses a variety of methods which result in reliable and fast encryption. Your organization, like many, may be using Windows machines. If that is the case there are two methods that an insider would use to encrypt their communications. One of the ways is called GNU Privacy Guard for Windows (GPG4Win) which is a program for encryption. The other software is a plugin for Thunderbird called Enigmail. These two encryption tools use PGP to protect communications. If you find Thunderbird with the Enigmail plugin or GPG4Win on devices connecting to your network that should raise some red flags for you, that you have an advanced insider in your organization.

Hopefully this list of tools that a darknet enabled insider would use is helpful for you. Be sure to use these to identify users who may be advanced and have an understanding of to cover their tracks. Be sure to stayed tuned for our final article of this series. We will cover what you can do to protect yourself and your data from being compromised and leaked on the darknet.

This post was originally published in IT Security Central and was reprinted with permission.