Facebook launches collaborative threat-detection framework

1 Comment

It might be a bit more difficult for hackers to launch coordinated attacks against several different companies at the same time thanks to a new collaborative threat-detection framework by Facebook called ThreatExchange.

The new security framework, which Facebook plans to announce on Wednesday, works like an online hub where multiple organizations can sign up and deposit data pertaining to the types of hacks and malicious activities they may have experienced. This type of data includes malicious URLs, bad domains, malware and any sort of analytical data a company might have that’s related to that malware, explained Mark Hammell, [company]Facebook[/company]’s manager of threat infrastructure and the author of the blog post detailing the framework.

Once all that information is dumped in, Facebook’s graph-database technology can correlate all the data points together and figure out new relationships, such as which malware seems to be talking to a particular domain or if a domain happens to be hosted on a bad IP address, said Hammell. The point is for the framework to ingest all the different security data points between companies so they can keep each other abreast of threats they are experiencing in real-time. If the technology does its job right, users can discover patterns from the data that could help them prevent future attacks.

“We needed to have a platform that lets us share this data in real-time so that when the next attack comes online we are all aware simultaneously,” said Hammell.

The idea behind the new framework came about when Facebook, along with other big tech companies, suffered an attack last year (Hammell said the situation was quickly remedied, which is why there was little mention in the press) from some sort of Windows-related malware “that would try to hijack a variety of social-sharing accounts and use those accounts to propagate.” Essentially, the malware could spread itself across the various services of each company because of the way each service happens to be connected to one another.

For example, Hammell said that the attack might have started out from a private Facebook message that sent a corrupted link to a Tumblr blog that happened to be created with a [company]Yahoo[/company] account.

Although the malware was eventually stopped, Facebook decided to build upon its existing
ThreatData framework and open it up to other companies to use through APIs. It’s similar to how developers can connect to Facebook through APIs and create applications on its platform, explained Hammell.

As an example of how someone might use ThreatExchange, Hammell said participants will be able to search for any “malicious domains that have been added in the past day to the system.” If they want to add to ThreatExchange a malicious domain that they might have discovered, they can put it into the system and the underlying graph database technology can spew out a list of urls that it might associate with the bad domain, which could be be an indication that the malware is trying to spread across numerous sites.

Now that users can see who else might be affected, they can then ping the appropriate parties within the framework, said Hammell.

“Where we see the most success is when folks start taking the attacks they are seeing and share those with the folks they think might be affected,” Hammell said.

ThreatExchange is now available in beta and interested participants will have to fill out a form on Facebook’s site if they want to partake.

1 Comment

Comments are closed.