Facebook ThreatExchange Platform Latest Hope for Information Sharing

Facebook announced ThreatExchange, an API-based platform for the exchange of attack and threat data.

Facebook, with its giant infrastructure and its equally wide view into Internet attacks, has built an information-sharing platform that it hopes will entice other big technology companies to join and contribute threat data and indicators of compromise.

The platform, called ThreatExchange, already counts Pinterest, Yahoo, Tumblr, Twitter, Bitly and Dropbox among its early members. The cost is free, and most of the heavy lifting is done by Facebook’s infrastructure. The platform developers were also cognizant of some of the concerns enterprises have about sharing threat data, from both a competitive and risk management standpoint. Privacy controls are built in to ThreatExchange that not only sanitize information provided by members, but also allows contributors to share data with all of the exchange’s members, or only particular subsets.

In addition to threat information shared by contributors, open source threat intelligence feeds are pulled into the platform. Mark Hammell, manager of Facebook’s threat infrastructure team, would not identify any of the open source feeds until some legal machinations are worked out. Facebook will homogenize all of those respective feeds’ data formats and make them consumable via ThreatExchange.

“We’re able to leverage a huge community doing security research independently and give them a platform,” Hammell said.

Hammell said he hopes the initial partner list grows to include other technology companies with a large Internet footprint. Microsoft, for example, has developed its own information sharing platform called Interflow, while the FBI announced last winter that it was releasing an unclassified version of its malware repository in the hopes of spurring public-private sharing of threat data.

“If some reasonably large Internet properties cooperate on attacks they’ve seen and responded to, the vast majority of the Internet will be safer,” Hammell said. “We want to bring in more companies like that and eventually broaden it beyond big companies to smaller web properties and researchers. We want to create a forum where we can share attack and threat information in an easy way and share it with as many who want to receive it.

“We realize that any problem that affects the Internet affects our products in lockstep,” Hammell said. “The corollary there is that the more we can do to take on larger problems the Internet is facing, the better our products will be and the safer the Internet will be.”

ThreatExchange is an API-based exchange; IT admins will be able to consume threat data via the APIs and write signatures and other protections accordingly. Participants can share threat data such as malware samples, lists of malicious URLs and other indicators of compromise that make sense. While participants will be able to see the data, the will not be able to tell where it’s coming from, though everyone will have access to list of members.

“You can see URLs that are known as bad, or metadata, but you cannot tell where it’s coming from; there is no attribution in the data,” Hammell said. Privacy controls within the framework allow contributors to publish breach data such as domains used in an attack or malware hashes and select who sees it. Facebook said there was one added use case where a contributor is allowed to select only specific other organizations to share data with.

“The classic example is an attack you’re investigating where only you and a few companies are targeted,” Hammell explained. “They can collaborate together on that particular attack and share data, but perhaps they don’t feel it’s appropriate to go wider because it may tip their hand and alert the attacker, or it would not be beneficial to the investigation if others started poking at the infrastructure and possibly disrupt the work they’re doing. It’s an important scenario to get right.”

Hammell added that the platform is free, and the intent is for it to stay that way.

“We want the platform to be a medium to share what people want to share,” he said.

Suggested articles