FEEDS:- Feeds collect data from a specific source and are implemented via a light-weight interface.Here are some examples of feeds that Facebook have implemented and which are discussed on the notes:
- Malware file hashes from VirusTotal ;
- Malicious URLs from multiple open source blogs and malware tracking sites;
- Vendor-generated threat intelligence we purchase;
- Facebook's internal sources of threat intelligence; and
- Browser extensions for importing data as a Facebook security team member reads an article, blog, or other content.
DATA STORAGE:- The data can be in nearly any format and is transformed by the feed into a simple schema, Facebook call it as a ThreatDatum. The datum is capable of storing not only the basics of the threat (e.g., evil-malware-domain.biz) but also the context in which it was bad. Once a feed has transformed the raw data, it is fed into two of our existing data repository technologies:
Hive storage is used to answer questions based on long-term data:
- Have we ever seen this threat before?
- What type of threat is more prevalent from our perspective: malware or phishing?
- What new malware are we seeing today?
- Where are most of the new phishing sites?
- All malicious URLs collected from any feed are sent to the same blacklist used to protect people on facebook.com
- Interesting malware file hashes are automatically downloaded from known malware repositories, stored, and sent for automated analysis; and
- Threat data is propagated to our homegrown security event management system, which is used to protect Facebook's corporate networks.
Further more Facebook explained about the Antivirus as“In a typical corporate environment, a single anti-virus product is deployed to all devices and used as a core defense. In reality, however, no single anti-virus product will detect all threats. Some vendors are great at detecting certain types of malware, while others can detect a wide array of threats but are more likely to mislabel them. We decided we would employ our framework to construct a light-weight set of hashes expressly not detected by our chosen anti-virus product and feed those hashes directly into our custom security event management system. The results have been impressive: we've detected both adware and malware installed on visiting vendor computers that no single anti-virus product could have found for us.”
Additionally, earlier in 2013 Facebook had a campaign for investing some of the security issue and company found that a spike in malware samples containing the string 'J2ME' in the anti-virus signature. This malware was capable of stealing a victim's address book, sending premium SMS spam, and using the phone's camera to take pictures.
Further more, Facebook have analysed the threats with ThreatData. The below Map image shows a heat map of one month's worth of data with the ASN/ISP/Country data decoration, including color shading where one shade reflects the combined volume of both malicious and victimized IP addresses in one view. The inset pie chart breaks out U.S. IP addresses by ISP.