Facebook ThreatExchange Lets Tech Firms Share Info on Security Threats

By David Cohen Comment

ThreatExchangeLogo650ThreatExchange may sound sinister, but it’s actually a way for tech companies to share information about malware and other security threats.

Facebook threat infrastructure team manager Mark Hammell introduced ThreatExchange in a note on the Protect the Graph page, saying that a malware-based spam attack last year was the impetus behind the initiative, and naming Pinterest, Tumblr, Twitter and Yahoo as early participants, while citing Bitly and Dropbox as more recent additions.

Hammell wrote in the note:

A little over a year ago, a group of technology companies came together to discuss a botnet that was spreading a malware-based spam attack on all of our services. We quickly learned that sharing with one another was key to beating the botnet because parts of it were hosted on our respective services and none of us had the complete picture. During our discussions, it became clear that what we needed was a better model for threat sharing.

Expanding on those conversations, Facebook offered to build what has now become ThreatExchange, an API-based (application-programming interface) platform for security threat information. It was natural for us because our core service is a platform for sharing and because we already had a threat analysis framework called ThreatData that we could build upon. Feedback from our early partners centered on the need for a consistent, reliable platform that could provide flexibility for organizations to be more open or selective about the information they share. As a result, we included a set of privacy controls so that participants can share only with the group or groups they wish.

ThreatExchange is built on the existing Facebook platform infrastructure, and we layered APIs on top of it so that partner companies can query the available threat information and also publish to all or a subset of participating organizations. Threat data is typically freely available information like domain names and malware samples, but for situations where a company might only want to share certain indicators with companies known to be experiencing the same issues, built-in controls make limited sharing easy and help avoid errors by using a pre-defined set of data fields.

We’re grateful to Pinterest, Tumblr, Twitter, and Yahoo for their early participation and helpful feedback in the development of ThreatExchange, and we’re excited to be welcoming new contributors like Bitly and Dropbox. If you’re interested in participating in our beta of ThreatExchange or have a feed we should consider integrating, please visit threatexchange.fb.com and fill out the form on the final page so that we can contact you as we continue growing the platform.

Our goal is that organizations anywhere will be able to use ThreatExchange to share threat information more easily, learn from each other’s discoveries and make their own systems safer. That’s the beauty of working together on security. When one company gets stronger, so do the rest of us.

Hammell also spoke with TechCrunch, saying:

We volunteered to build an external version based on one we had in-house that would help these other companies share this kind of information with each other or with broader community-based privacy controls we built and they chose to use.

This was purely the serendipity of the graph.

As we are building this platform, we have been pushing the intelligence around this botnet, and proactively blocking the spam.

Readers: How big of an issue have you found spam on Facebook to be?