Vulnerabilities / Threats //

Advanced Threats

3/26/2014
06:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Facebook Builds Its Own Threat Modeling System

The tool helps the social network gather, store, analyze, and react to the latest threats against it.

Facebook has created its own threat intelligence tool to help keep tabs on malware, phishing, and other threats on the Internet that could threaten the social network. The new ThreatData framework pulls threat feeds from outside sources, stores that information, and allows the social media giant to translate that information into action for real-time defense.

Mark Hammell, a threat researcher at Facebook who blogged about the new homegrown framework yesterday, says ThreatData also has helped the social networking company spot new types of threats. Last summer, for example, the tool provided data on a trend in malware samples using a particular string in an antivirus signature: turned out it was a spam campaign of fake Facebook accounts that tried to push mobile phone malware.  

"The malware, specifically the Trojan:J2ME/Boxer family [3], was capable of stealing a victim's address book, sending premium SMS spam, and using the phone's camera to take pictures. With this discovery, we were able to analyze the malware, disrupt the spam campaign, and work with partners to disrupt the botnet's infrastructure," Hammell said.

ThreatData draws from VirusTotal, vendor-generated threat intel feeds, open-source data on malicious URLs and malware tracking sites, as well as Facebook's own internal threat intelligence findings. It then generates real-time response to any new threats.

Hammell says that automated function is rooted in a processor Facebook built to analyze the incoming data and to automatically act on the new threats. "All malicious URLs collected from any feed are sent to the same blacklist used to protect people on facebook.com," he said. "Interesting malware file hashes are automatically downloaded from known malware repositories, stored, and sent for automated analysis; and threat data is propagated to our homegrown security event management system, which is used to protect Facebook's corporate networks."

Why the homegrown tool approach? "Given the pace of criminals today, one of the hard parts is actually keeping track of all the data related to malware, phishing, and other risks. We wanted an easier way to organize our work and incorporate new threat information we receive so that we can do more to protect people," Hammell said. "We've found that the framework lets us easily incorporate fresh types of data and quickly hook into new and existing internal systems, regardless of their technology stack or how they conceptualize threats."

The announcement of Facebook's ThreatData tool is yet another security move by the social media giant, which has paid out more than $2 million to outside researchers as part of its bug bounty program and of late has been forthcoming about its strategy building a security culture internally.

Facebook CSO Joe Sullivan says the social media giant has made security part of the social media giant's culture so that security is part of all of the daily lives of all of its employees. "It's important to get the whole company thinking about security," Sullivan said in a press briefing last week.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DoctorSecurity
100%
0%
DoctorSecurity,
User Rank: Apprentice
3/27/2014 | 12:30:27 PM
Re: curiouser and curiouser...
Facebook pulls threat data from outside sources, they are not the ones providing it.
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/26/2014 | 9:07:42 PM
Re: Facebook's security culture
Facebook is actually quite proactive in its internal security awareness training/programs and in engaging and empowering users. FB CSO Sullivan says the goal is to make security part of the culture for each and every employee....awareness of phishing emails, etc. They use creative programs and competitions as well.
Sara Peters
0%
100%
Sara Peters,
User Rank: Author
3/26/2014 | 9:05:47 PM
curiouser and curiouser...
I'm of two minds about this. On one hand, it's nice to know that an organization that has access to so much personal data is taking security seriously. On the other hand, my gut reaction is still "Is Facebook really who I want to get my threat data from?" Am I the only one who finds this a little oogy?

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/26/2014 | 8:52:16 PM
Facebook's security culture
Interesting article Kelly. I'm curious -- outside of its homegrown threat modeling tool is Facebook doing anything to make its employees and culture more security-aware?

 
Hacked IV Pumps and Digital Smart Pens Can Lead to Data Breaches
Dawn Kawamoto, Associate Editor, Dark Reading,  12/4/2017
The Rising Dangers of Unsecured IoT Technology
Danielle Jackson, Chief Information Security Officer, SecureAuth,  12/4/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.