Facebook announced a new repository this morning for sharing information about malware threats called ThreatExchange. Using a familiar Facebook look and feel, with APIs for querying and publishing threat data, the system is designed to allow companies to contribute information about common attacks, and thereby make it safer for the group.
Early partners include Pinterest, Tumblr, Twitter and Yahoo. Dropbox and bit.ly have since come on board.
There is a growing feeling among security industry observers that there is safety in the herd, that the sheer number of threats has become too great for any one company to handle on its own.
The genesis for ThreatExchange began about a year ago when Facebook was experiencing a nasty spam-driven malware attack, Mark Hammell, manager of the Facebook threat infrastructure team, told TechCrunch. He decided to contact other companies, which also had a sizable user bases to see if they were experiencing similar attacks.
All of the partners recognized there was a common goal here and finding information on the type of malware, the source domains, the IP addresses involved and the nature of the malware itself, was key to the success of the group in battling these types of attacks.
While the participating companies recognized the need for this type of system, nobody had actually come forward and taken the lead in the past. Facebook had been building a platform in-house for compiling this type of information using the Facebook platform.
They believed that using the Facebook Graph, which helps you see connections among your friends, they could also see connections about the hackers and their methodologies. It made sense to use that existing, commonly understood Facebook core as a basis for what would become ThreatExchange.
“We volunteered to build an external version based on one we had in-house that would help these other companies share this kind of information with each other or with broader community-based privacy controls we built and they chose to use,” Hammell explained.
Facebook built APIs on top of this platform for querying and publishing information with everyone or with a specific group of companies, and ThreatExchange was born.
The system includes this group discussions capability because different member groups over time might not see the attacks as equally grave. What one company considers spam, another might just consider noise, and it was important to build a mechanism to let companies with a common set of goals or problems communicate with one another.
Members can publish information, search the database and begin to build the connections between attacks that can help them get to the core of the problem. One partner company was able to query the database, trace connections using the graph, and find the original employee who had been compromised, Hammell explained.
“This was purely the serendipity of the graph,” he said. They couldn’t have found this information simply by sharing or talking to one another, yet they were able to dig deeper because of the shared information, and the design of the platform, and find their way back to the source of the problem.
Facebook recognized that privacy concerns have held companies back from sharing this kind of information in the past, but Hammell is careful to point out that the threat information tends to be public like domain names and IP addresses, and companies are free to share as much or as little as they want with the entire project or with a defined group of participating companies.
Hammell also points out the sharing APIs are only available to partner organizations, not publicly accessible.
In initial testing, the partners have found it is working well, and companies are sharing information and they have found a way to proactively attack the botnet that was the impetus for the project.
“As we are building this platform, we have been pushing the intelligence around this botnet, and proactively blocking the spam.” They couldn’t have done that without data coming to the platform.
As Hammell wrote in a blog post announcing the project, “That’s the beauty of working together on security. When one company gets stronger, so do the rest of us.”
And over time, it’s very likely this type of threat information sharing could become the norm and be a key weapon in the continuing battle against the growing number of cybersecurity threats.