Enterprise networks face constant threats from dark web activity—ransomware operations, insider threats selling credentials, and attackers exfiltrating sensitive data. What makes these threats particularly challenging is that evidence of dark web connections often hides within normal-looking network traffic, blending into the millions of connections your systems handle daily.
For security teams using Network Detection and Response (NDR), those hidden signals become actionable intelligence. The key lies in knowing what to look for and where to look for it. Here’s a practical framework for leveraging NDR to spot dark web threats before they cause damage.
Understanding How Dark Web Access Leaves Network Traces
The dark web operates differently from the public internet. Users rely on anonymizing tools like Tor browser, Invisible Internet Project (I2P), and Freenet peer-to-peer networks that obscure origins, encrypt communications, and deliberately evade detection. These tools exist specifically to hide user identity and activity from network monitoring.
Despite their sophisticated obfuscation techniques, dark web connections still create detectable patterns in network data. Unusual port usage, distinctive encrypted traffic patterns, and communications with Tor entry or exit nodes all leave traces that NDR systems can identify. The challenge isn’t whether these signals exist—it’s training your systems to recognize them amid the noise of legitimate traffic.
Think of it like footprints in snow. Anonymizing tools try to cover those footprints, but they can’t eliminate them entirely. NDR gives you the ability to spot the disturbances these tools create, even when they’re trying to hide.
What Network Detection and Response Actually Does
NDR systems continuously monitor network traffic in real time, using AI, machine learning, and behavioral analytics to identify suspicious or malicious activity. Unlike traditional firewalls that block based on rules, NDR learns what normal looks like for your specific environment and flags deviations from that baseline.
Equally important, NDR maintains comprehensive historical records of network activity, providing the context security teams need to investigate incidents. When you detect something suspicious, you can look backward to see how the activity started, what it’s connected to, and whether similar patterns appeared before.
This combination of real-time detection and historical context helps security operations centers (SOC) improve their mean time to detect (MTTD) and mean time to respond (MTTR) to cyber threats. For dark web activity specifically, NDR provides visibility into connections that other security tools miss because they don’t appear overtly malicious—they’re just unusual.
Strategic NDR Deployment for Dark Web Visibility
Effective dark web threat detection requires thoughtful sensor placement across your network architecture. Monitor traffic across core network infrastructure, edge environments where your network connects to the internet, and internal segments where lateral movement occurs.
Position NDR sensors strategically at network segments housing high-value assets. These locations give you the best chance of catching command-and-control (C2) activity and data exfiltration attempts before significant damage occurs. Focus on monitoring north-south traffic—communications between internal systems and external destinations—where dark web connections necessarily traverse.
Don’t neglect lateral movement monitoring. Internal traffic between devices can reveal compromised systems attempting to spread through your network or establish persistent access. Attackers using dark web infrastructure often move laterally after initial compromise, seeking valuable data or privileged access before exfiltration.
The goal is comprehensive visibility without creating blind spots where threats can hide. Strategic placement beats blanket coverage when resources are limited.
Establishing Your Network Baseline
NDR deployments typically begin with a 30-day baselining period that allows the platform to learn your organization’s normal traffic patterns. This learning phase proves critical for accurate threat detection—without understanding normal, you can’t reliably identify abnormal.
Once baselining completes, NDR can automatically flag indicators of dark web activity: new communications with previously unknown external IPs, excessive peer connections suggesting P2P network usage, suspicious file transfer protocols, traffic to unusual domains, and outbound data flows masqueraging as legitimate communications.
Here’s a critical consideration: if your network is already compromised during baselining, the NDR might learn threat activity as “normal.” This creates a dangerous blind spot where existing malicious activity becomes part of the baseline rather than triggering alerts. Active analysis during baselining helps prevent this—security teams should review flagged anomalies and investigate suspicious patterns rather than passively letting the system learn.
Understanding your environment matters. Know what applications your users need, what external services your business depends on, and what traffic patterns are genuinely normal versus merely frequent.
Detecting Tor Network Connections
Tor represents the most common gateway to dark web resources, making Tor detection a priority for identifying potential threats. Start by setting up dynamic alerts for devices communicating over default Tor ports: 9001, 9030, and 9050. While sophisticated users might configure different ports, default configurations catch many cases.
Monitor tunnel logs for irregular patterns that suggest Tor usage: compressed Transport Layer Security (TLS) headers, unique negotiation behaviors, unusually long sessions, and high bandwidth usage that doesn’t align with typical application behavior. Scan for Tor-specific traffic signatures, including distinctive packet lengths and handshake patterns that Tor uses for its onion routing.
Track connections to known Tor entry nodes, relays, bridges, and Obfourscator (obfs4) nodes. These connection points are documented and updated regularly by the Tor Project. Flag traffic that frequently switches between multiple external IPs or interacts with known anonymization services—behaviors that indicate attempts to obscure origin.
Tools like Corelight’s Open NDR Platform with Investigator provide visibility into Tor connections through network metadata including connection logs, protocol analysis, TLS connection details and certificates, Suricata signatures, and machine learning algorithm detections. This multi-layered approach catches Tor usage even when single indicators might be ambiguous.
Identifying I2P and Peer-to-Peer Network Activity
I2P operates differently from Tor but serves similar anonymization purposes. Set dynamic alerts for traffic on I2P ports 7650 through 7659 and BitTorrent/P2P ports 6881 through 6889. Monitor for high outbound UDP traffic to random or external IPs, which signals I2P tunnel establishment.
Watch for periodic spikes to unfamiliar or unresolved IP addresses using obscure UDP ports—common behaviors for I2P peer discovery protocols. Detect persistent, long-duration P2P sessions across distributed IPs, indicating Freenet activity where users participate in distributed storage networks.
Look for self-signed certificates typical of Freenet and other anonymization tools. Flag workstations and IoT devices showing persistent connections to high-entropy or randomly generated domain names, a hallmark of anonymization services trying to avoid detection.
Corelight’s Encrypted Traffic Collection helps identify unusual certificates, unexpected encryption patterns, and TLS anomalies that could indicate encrypted I2P and P2P connections. Since these networks encrypt heavily by default, detecting them requires analyzing encryption characteristics rather than content.
Monitoring DNS for Dark Web Indicators
DNS activity reveals significant information about dark web access attempts. Monitor DNS logs for queries to .onion addresses—the top-level domain used exclusively for Tor hidden services. Any .onion query from your network indicates attempted dark web access.
Flag queries to low-reputation, rarely used, or known malicious domains, especially those linked to VPN or proxy services. DNS requests involving the .su domain (reserved for the former Soviet Union) are almost never legitimate in modern enterprise environments and often indicate malicious activity.
Detect devices that bypass internal DNS servers to use external DNS resolvers. This behavior frequently indicates anonymization tool usage, but it also likely violates your organization’s network security policies. Users bypass internal DNS precisely to avoid the monitoring and filtering that internal DNS provides.
Spotting VPN Usage and Policy Violations
While VPNs serve legitimate business purposes, consumer VPN usage on corporate networks often violates policy and can indicate data exfiltration attempts. Detect connections to well-known consumer VPN providers like NordVPN, ExpressVPN, and ProtonVPN.
Alert on traffic using non-standard VPN ports: OpenVPN typically uses port 1194, L2TP uses 1701. Flag traffic routed via OpenVPN, IPSec, or WireGuard protocols, including use of custom SSL/TLS certificates tied to these services. Compare detected VPN usage against your policies to determine whether it’s authorized.
Corelight’s VPN Insights package identifies over 400 unique VPN protocols, providers, and types, logging them alongside critical metadata like country of origin. This visibility helps security teams distinguish between approved corporate VPN use and unauthorized consumer VPN connections.
Detecting Geolocation and Travel Anomalies
Geographic inconsistencies often reveal compromised credentials or unauthorized access. Identify “impossible travel” scenarios using IP geolocation data—when users or devices show logins from distant countries within timeframes that make physical travel impossible.
Detect connections originating from suspicious regions or countries outside your organization’s normal operational scope. If your business operates entirely within North America but you see login attempts from Eastern Europe or Southeast Asia, investigate immediately.
Look for traffic with no identifiable legitimate business application. When users access resources from locations or through methods that don’t align with their job functions, it warrants investigation regardless of whether specific threat indicators are present.
Identifying Lateral Movement Patterns
Once attackers gain initial access, they typically move laterally through your network seeking valuable targets. Flag internal traffic that hops between multiple systems before reaching external endpoints—a pattern indicating proxying or tunneling through compromised hosts.
Monitor for unusual activity between internal devices using unexpected protocols like SOCKS proxies. Legitimate business applications rarely require SOCKS proxying between internal systems, making it a strong indicator of malicious activity.
Corelight’s Encrypted Traffic Collection identifies unusual remote management traffic even in encrypted connections, helping spot potentially malicious use of SSH and RDP as attackers move laterally. These protocols are commonly exploited for lateral movement because they provide powerful access and often blend into legitimate administrative activity.
Catching Command-and-Control Communications
Malware establishing command-and-control channels creates distinctive communication patterns. Use Yara rules to analyze files extracted from network traffic, looking for malware signatures or suspicious binaries. Check logs for periodic “check-in” activity occurring at regular intervals—every 5 minutes, every hour, or other consistent patterns that suggest automated beaconing.
Corelight’s C2 Collection identifies dozens of attack frameworks, RATs, and malware commonly used to stage attacks, establish command-and-control, and download additional tools for attack expansion. These signatures catch both known malware families and emerging threats that share behavioral characteristics with established attack tools.
Integrating Threat Intelligence for Context
Enhance your NDR capabilities by integrating threat intelligence feeds that correlate known dark web activity. Add feeds containing Indicators of Compromise (IOCs) like file hashes, malicious IPs, and C2 domains associated with dark web operations.
Consider hiring third-party threat intelligence services to monitor dark web forums and marketplaces for chatter about your organization or leaked data from your environment. This proactive monitoring can alert you to breaches before attackers fully exploit compromised access.
Track login attempts from suspicious or compromised locations using external credential monitoring services. When your employees’ credentials appear in dark web credential dumps, you need to know immediately to force password resets and investigate potential account compromise.
Corelight’s Intel Framework matches millions of indicators at line rate, generating alerts and logs for precise detection and investigation. Real-time indicator matching ensures threats are identified as they occur rather than discovered during post-incident forensics.
Building a Comprehensive Detection Strategy
Spotting dark web threats requires layered detection that combines multiple indicators rather than relying on single signatures. A well-tuned NDR solution significantly enhances your organization’s ability to detect dark web activity while strengthening overall cybersecurity posture.
The key to success lies in understanding that dark web threats don’t announce themselves—they hide within normal-looking traffic, use encryption to obscure content, and leverage legitimate protocols for malicious purposes. Your detection strategy needs to look beyond obvious red flags and identify the subtle patterns that reveal hidden threats.
Start with strategic sensor placement, establish accurate baselines, configure detection for specific dark web indicators, and continuously refine your approach based on what you learn. Dark web threats evolve constantly, so your detection capabilities must evolve as well. With the right tools and techniques, the network traffic that once hid threats becomes the intelligence source that exposes them.