Defending and Analysis of online threats and malwares have become more challenging nowadays and especially for larger businesses like the popular social networking site - Facebook. To encounter malware, phishing, and other online threats, Facebook has taken an important step forward.
Facebook has unveiled its latest security-focused platform, dubbed as ‘ThreatData’, which is a framework that aims to standardize its methods for collecting and analyzing data.
The ThreatData framework is implemented to import information about the various online threats, malware, phishing and other internet risks, then storing it proficiently for real-time and long-term analysis as well. It consists of three high level components i.e. Feeds, Data storage, and Real-time response.
FEEDS: Feeds will collect data from a distinct source and implement them via a lightweight interface.
“Here are some examples of feeds we have implemented: Malware file hashes from VirusTotal; Malicious URLs from multiple open source blogs and malware tracking sites; Vendor-generated threat intelligence we purchase; Facebook's internal sources of threat intelligence; and Browser extensions for importing data as a Facebook security team member reads an article, blog, or other content,” detailed in a blog post on Tuesday.
DATA STORAGE: The data received by various Information Security firms and vendors are in different format, so the framework brought it in a common and simple format, which they call a ThreatDatum. ThreatDatums are then routed for short-term and long-term analysis through its two existing data repository systems, Hive and Scuba.
- Hive storage is used to answer questions based on long-term data:
- Have we ever seen this threat before?
- What type of threat is more prevalent from our perspective: malware or phishing?
- Scuba gives us the opposite end of the analysis spectrum:
- What new malware are we seeing today?
- Where are most of the new phishing sites?
REAL-TIME RESPONSE: After storing the data, a processor is built to easily and quickly address all the threats, such as:
- All malicious URLs collected from any feed are sent to the same blacklist in order to protect the Facebook users.
- Interesting malware file hashes are automatically downloaded from known malware repositories, stored, and sent for automated analysis.
- Threat data are propagated to our homegrown security event management system, which is used to protect Facebook's corporate networks.
“In a typical corporate environment, a single anti-virus product is deployed to all devices and used as a core defense. In reality, however, no single anti-virus product will detect all threats. Some vendors are great at detecting certain types of malware, while others can detect a wide array of threats but are more likely to mislabel them. We decided we would employ our framework to construct a light-weight set of hashes expressly not detected by our chosen anti-virus product and feed those hashes directly into our custom security event management system. The results have been impressive: we've detected both adware and malware installed on visiting vendor computers that no single anti-virus product could have found for us.” Faceook explained.
THREATDATA IN ACTION:
In 2013, Facebook team investigated a spam campaign, that was using fake Facebook accounts to spread links to malware designed for feature phones and capable of stealing a victim’s address book, sending premium SMS spam, and using the phone’s camera to take pictures.
They analyzed the malware using ThreatData, located the origin of the malware and disrupt the spam campaign to shut down the botnet’s infrastructure.
Also, the image above shows a graph Facebook developed using ThreatData to map malicious and victimized IP addresses, with the pie chart breaking that data down by ISP in the United States. For now the framework is just for Facebook's internal use.