Facebook Shows Off Epic ThreatData Security Platform

Social networking giant Facebook has revealed how it detects and remediates security events across its platform, using its own bespoke framework called ThreatData.

Described as “a framework for importing information about badness on the Internet in arbitrary formats”, ThreatData lets Facebook do security in real-time, whilst efficiently collecting data for long-term analysis, according to a blog post from Mark Hammell, an engineer.

Facebook three-headed security beast

It consists of three parts: feeds, data storage, and real-time response. The feeds bring in data from a variety of sources, such as malware hashes from VirusTotal and malicious URLs from open source blogs and malware tracking sites.

This data is then fed into the storage side, which contains two repositories, called Hive and Scuba. Hive is used for long-term data threat analysis, whilst Scuba is used to look at newer threats.

The real-time response includes a variety of automated actions, including blacklisting of malicious URLs collected from any feed and sending threat data to Facebook’s security platform that protects its corporate networks.

Facebook’s program has already thrown up a number of interesting cases and some positive actions from the social network.

“In the summer of 2013, we noticed a spike in malware samples containing the string ‘J2ME’ in the anti-virus signature. Further investigation revealed a spam campaign using fake Facebook accounts to send links to malware designed for feature phones,” said Hammell.

“The malware, specifically the Trojan:J2ME/Boxer family, was capable of stealing a victim’s address book, sending premium SMS spam, and using the phone’s camera to take pictures. With this discovery, we were able to analyse the malware, disrupt the spam campaign, and work with partners to disrupt the botnet’s infrastructure.”

Below is a map of malicious IPs detected by the system, showing plenty of action in the US:

Are you a security expert? Try our quiz!