Facebook have this week announced that they have implemented a threat modelling system to identify, gather, store and analyse threats against their platform. The tool will also assist Facebook with reacting to threats against it and staying one step ahead of the curve. The tool has been developed internally by Facebook in order to keep track of the range of threats against them including malware, phishing and other compromise methods.
Developed by the social media giants, the tool is based on a ThreatData framework that utilises threat feeds from a number of different sources. The tool then pulls in the threat data, holds and stores it securely and allows analysts in Facebook to query it to provide input to their real-time defensive capability.
Threat researchers at Facebook have said that ThreatData has also enabled Facebook to track and analyse new, emerging threats in the cyber world. The researchers announced that the tool was able to provide extensive data on trending malware samples using a specific string in an AV signature. This turned out to be a spamming campaign, making fake Facebook accounts in order to distribute mobile malware. The detected malware, named J2ME/Boxer Family, was sophisticated enough to extract user data such as address book as well as using the camera on the phone. The malware would also send SMS spam in bulk. When the tool discovered this particular piece of malware, Facebook were able to respond by interrupting the spamming campaign as well as working with industry to disrupt the botnet’s capability.
The Facebook tool pulls in feeds from a variety of sources including VirusTotal, a tool that distributed threat intelligence feeds from various sources such as open source and malware tracking sites. The tool utilises a wealth of vendor and open-source threat information to build its real time response controls. Facebook also pull in their own research to build a highly powerful threat modelling system.
Facebook research analyst Mark Hammell states that the threat modelling system has a built in automated function that allows Facebook to analyse all data together and automatically respond. For example, malicious web addresses are automatically updated into the giants blacklist, malware file hashes are automatically collected and sent on for further analysis and threat data is automatically ingested into Facebook’s event management system. The tool is a powerful, semi-automated collection of different intelligence feeds as well threat information gained from researchers inside Facebook.
Facebook require to build on their defences in the current arms race. A part of this is keeping track of all the current threats relating to malware, compromise methods, bad URL’s, phishing attempts and other risks. Organisation of this data will enable Facebook to build stronger defences and the framework they have implemented enables this.
The ThreatData tool is another move forward from the social media platform, who have been at the forefront of security research in recent years. They have paid out over 2 million dollars to researchers who find bugs and have also highly publicised their attempts to build up a secure strategy within their business. The social media giants are aiming to ingrain security to the companies culture, ensuring that every employee and developer considers security closely as part of their everyday job.
