Anonymity and a desire for privacy are often associated with suspicious or even criminal activity. For instance,...
in the cybersecurity sector, one of the major challenges with breach detection and attribution is the fact that most attackers now use technologies such as the Tor anonymity network, VPNs and encryption.
There are other reasons an individual may need to use anonymity tools, though. For human rights activists in countries controlled by repressive regimes, preserving anonymity can be a matter of life and death. Victims of domestic abuse, as well as undercover law enforcement agents, diplomats, journalists and others depend on anonymity technologies to protect them from harm.
Cybersecurity professionals also need to be anonymous sometimes. When gathering threat intelligence from unofficial sources, it is a best practice to interact anonymously so the operator of the system hosting the intelligence cannot trace the collector back to their source.
A malware author or a distributed denial-of-service-as-a-service operator could monitor visitors to their hosted information, for instance, and change tactics or even hide their services from the interested threat intelligence gatherer altogether. Quite often, malware-hosting infrastructure servers block any connection from IP ranges belonging to certain targeted companies.
The legitimate need for anonymous internet access is especially important when dealing with dynamic malware analysis systems, such as Cuckoo Sandbox systems. These systems can optionally reach out to the internet when a first stage malware sample tries to connect to a server to download its second stage. These outgoing so-called dirty lines need to be untraceable; otherwise, the malware controller could take evasive actions if they learn their code has been detected and is being analyzed.
Traditional anonymity tools
Traditional anonymity tools to preserve privacy and anonymity for security have mainly focused on rerouting traffic via public systems, such as on the Tor network or VPN services. A user can sign up for a private VPN service; many paid and free options are available.
These anonymity tools and services come with agents full of security features, such as automatic blocking of network traffic if the VPN tunnel unexpectedly disconnects. Most providers also allow connections from other agents, such as the ones built into the user's operating system.
Apart from the potential cost of using a private VPN, there is another issue. Most providers of these anonymity tools and services are well-known or easily traceable, which can arouse suspicion at the intended destination. Why would someone visit their server or website anonymously? As private VPN services become more popular, however, their use is becoming less suspicious.
Finally, it should be noted that while many private VPN providers claim their services are log free and no evidence is stored, some providers do, in fact, keep logs, and they do provide these to authorities on demand. While this may not be an issue for security researchers, it is important to be aware of.
The use of the Tor network is more complex, but Tor is free and much harder to trace. There is no central authority governing Tor traffic -- this is the principle behind the architecture of the network -- so that traffic may be virtually untraceable for most adversaries. However, any traffic coming from an exit node on the Tor network is seen as highly suspicious, both for companies that usually block or monitor such traffic and for controllers of malware and botnet infrastructures.
Many organizations have policies prohibiting the use of the Tor network for employees, including their security staff. All these issues make Tor a less favorable option to preserve anonymity.
Using the cloud for anonymity for security
There is another option. A public cloud platform can be used to gain anonymity. These are highly distributed platforms with hundreds of thousands of shared servers that perform hundreds of thousands of different tasks.
For instance, if a security professional or an automated sandbox system is located within a shared Amazon environment and requests data from a suspicious external system, it is virtually impossible to trace that request back to the interested party. Someone monitoring for such incoming requests will know something or someone is interested in the information, but that person cannot precisely determine who it was or what their motive was. A shared system in Amazon looks far less suspicious than a source indicating a private VPN or the Tor network.
It is also much harder to block requests that originate from cloud platforms. While it is not difficult to block the IP addresses of web crawlers, targeted companies or security companies, blocking the entire address ranges of Azure and Amazon would be too broad and would need regular updates so as not to block legitimate traffic.
Because of the limited hardware requirements for a simple research system within the cloud, quite often, the very lowest specifications will be sufficient.
With some small costs, it is also possible to build a sandbox system inside a public cloud or to divert a dirty line via the cloud with a VPN, for instance.
Law enforcement can request the associated logs from cloud providers to identify the researcher, but as long as the setup is used for legitimate work, this should not be an issue. Of course, for additional privacy, one can always connect to the cloud instance using a private VPN.
There are definitely complexities to preserving anonymity on the internet. The issue is not so much trying to hide one's identity -- it is doing so while not raising suspicions. Using cloud systems is a good way to avoid this, usually at little or no cost at all.