Are you aware of everything that your users are accessing from your environment? While most of the time, non-work-related internet browsing is harmless (looking at pictures of cats, online shopping, social media, etc.) there are some instances where you could be an unknowing and unwilling participant in criminal activity. That is, when users hide that activity via the Tor network, or the Dark Net.
The Onion Router, or “Tor” is a piece of software that is designed to allow a user to browse the internet anonymously via a volunteer network of more than 5000 relays. There are arguably legitimate uses for this technology, such as providing internet access in repressively regulated countries. However, Tor is often associated with illicit activity (child pornography, selling controlled substances, identity theft, money laundering, and so on.). Most admins will want to prohibit their users from using the Tor network due to its association with nefarious activity.
Since the point of origin is nearly impossible to determine with conventional means, many bad actors leverage the Tor network to hide the location of Command & Control servers, machines taking ransomware payments, etc. This makes identifying these them and their malware that much harder.
Users browsing the Tor network (for illicit purposes or not) from your environment can open you up to hosting malicious/illegal content, ransomware infection, or unknowingly participating in other malicious activity. Yes, if your users are browsing with Tor and they are looking at child pornography, your company may be liable. And Wired recently reported that 80% of visits to Tor hidden services relate to child pornography.
You can use AlienVault Unified Security Management (USM) to detect when users access hidden services using the Tor network. The correlation directives and IDS signatures can detect when a system is attempting to resolve a Tor domain, and allow you to take corrective action.