Follow Us on WhatsApp | Telegram | Google News

Facebook Reveal ThreatData, a framework for Web Security

Table of Contents
As on today's days Defending and Analysis of online threats and Malwares have become more challenging for all types of the business house. It is much important for the company like Facebook, Whatsapp and other social networking site. So for this, Facebook have step forward to encounter malware, phishing, and other online threats.

Facebook has unveiled its latest security-focused platform, dubbed as ‘ThreatData’, which is a framework that aims to standardize its methods for collecting and analyzing data.  ThreatData is a framework for importing information about badness on the Internet in arbitrary formats, storing it efficiently, and making it accessible for both real-time defensive systems and long-term analysis.

The ThreatData framework is comprised of three high-level parts: feeds, data storage, and real-time response.
FEEDS:- Feeds collect data from a specific source and are implemented via a light-weight interface.
Here are some examples of feeds that Facebook have implemented and which are discussed on the notes:
  • Malware file hashes from VirusTotal [0];
  • Malicious URLs from multiple open source blogs and malware tracking sites;
  • Vendor-generated threat intelligence we purchase;
  • Facebook's internal sources of threat intelligence; and
  • Browser extensions for importing data as a Facebook security team member reads an article, blog, or other content.
DATA STORAGE:- The data can be in nearly any format and is transformed by the feed into a simple schema, Facebook call it as a ThreatDatum. The datum is capable of storing not only the basics of the threat (e.g., but also the context in which it was bad. Once a feed has transformed the raw data, it is fed into two of our existing data repository technologies: 
  1. Hive
  2. Scuba
Hive storage is used to answer questions based on long-term data:
  • Have we ever seen this threat before?
  • What type of threat is more prevalent from our perspective: malware or phishing?
Scuba gives us the opposite end of the analysis spectrum:
  • What new malware are we seeing today?
  • Where are most of the new phishing sites?
Real-time Response:- To addressed a threat quickly, a processor is built to examine ThreatDatum, which can response to each threat such as- 
  • All malicious URLs collected from any feed are sent to the same blacklist used to protect people on
  • Interesting malware file hashes are automatically downloaded from known malware repositories, stored, and sent for automated analysis; and
  • Threat data is propagated to our homegrown security event management system, which is used to protect Facebook's corporate networks.
Further more Facebook explained about the Antivirus as
“In a typical corporate environment, a single anti-virus product is deployed to all devices and used as a core defense. In reality, however, no single anti-virus product will detect all threats. Some vendors are great at detecting certain types of malware, while others can detect a wide array of threats but are more likely to mislabel them. We decided we would employ our framework to construct a light-weight set of hashes expressly not detected by our chosen anti-virus product and feed those hashes directly into our custom security event management system. The results have been impressive: we've detected both adware and malware installed on visiting vendor computers that no single anti-virus product could have found for us.”

Additionally, earlier in 2013 Facebook had a campaign for investing some of the security issue and company found that a spike in malware samples containing the string 'J2ME' in the anti-virus signature. This malware was capable of stealing a victim's address book, sending premium SMS spam, and using the phone's camera to take pictures.

Further more, Facebook have analysed the threats with ThreatData. The below Map image shows a heat map of one month's worth of data with the ASN/ISP/Country data decoration, including color shading where one shade reflects the combined volume of both malicious and victimized IP addresses in one view. The inset pie chart breaks out U.S. IP addresses by ISP.

Read Also
Post a Comment