With an ever-increasing number of cyber attacks, it’s imperative that organizations have a way to facilitate sharing of attack data in order to defend themselves. Rather than re-create yet another solution, we decided to team up with Facebook and provide a visual interface on top of their ThreatExchange product. Starting today, members of the exchange will now be able to send and receive data stored in ThreatExchange directly from the PassiveTotal platform.
When it comes to data sharing, we believe that the process should be tightly coupled with research. An analyst shouldn't need to adjust their workflow in order to share critical indicators or attack information with others. Data made available to them should show up alongside their search results and content they deem sharable should automatically broadcast to those they trust. In order words, sharing should feel natural.
The current state of sharing in information security is complicated and diverse. With a number of competing standards and different storage solutions, it’s difficult to identify where to start. As a result, email tends to be the preferred medium for sharing which doesn’t scale or allow for easy automation.
It was important for us to tackle the frustrations of sharing data when creating the ThreatExchange integration. Members who associate their application details will get access to a set of global controls on how, with whom and what data is shared when researching inside the platform.
By default, integrations will automatically share tags, classifications and severity back to ThreatExchange with the privacy set to only be viewable by your application. Users looking to share with a wider audience can select to share with everyone. Additionally, we recognize that not everyone will want to share data to Facebook automatically. Setting the syncing method to manual will allow the user to choose which data, if any, gets shared back to Facebook on a case-by-case basis.
Once activated, members will instantly gain the benefit of the graph as they conduct searches within the platform. PassiveTotal will automatically query ThreatExchange for threat indicators (other bad items), threat descriptors (what others say about an item) and malware analyses (automated analysis) related to the indicator being searched for in PassiveTotal. The result is a seamless collaboration amongst others inside of the exchange with literally no change to your workflow.
In teaming up with Facebook, we hope to automate a lot of the pain away from sharing. Our goal is to get to a point where analysts inside PassiveTotal no longer think about what to share, and instead just focus on what to research. Over the next several months, we will continue to improve this integration and work with Facebook engineers to suggest improvements to ThreatExchange. If you have any ideas or comments, feel free to send us a message at firstname.lastname@example.org