With an ever-increasing number of cyberattacks, it’s imperative that organizations have a way to facilitate sharing of attack data in order to defend themselves better. To that end, RiskIQ has teamed up with Facebook to provide a visual interface on top of the social network’s ThreatExchange product.
Members of the exchange will be able to send and receive data stored in ThreatExchange directly from the PassiveTotal platform.
Facebook’s ThreatExchange is a rich repository of threat intelligence data, gleaned from its various platforms. It uses an API approach that builds on its internal ThreatData system to create a social platform designed for sharing indicators like bad URLs and domains.
With the integration, RiskIQ customers can centralize data from ThreatExchange alongside critical data sets such as passive DNS, WHOIS and SSL certificates within PassiveTotal, and can automate the sharing of findings with the community.
"Sharing threat intelligence, whether it's private sharing of attack campaigns, long-form reports on threat actors or just public lists of indicators, is the most effective way for organizations to pre-empt and protect themselves from attacks," said Elias Manousos, CEO of RiskIQ. "We believe the process of sharing should occur without friction, and that's why we've added full integration of Facebook's ThreatExchange within the PassiveTotal platform. We are also sharing data from RiskIQ researchers with ThreatExchange to further arm the community with actionable intelligence."
To automate intelligence sharing with the ThreatExchange community, PassiveTotal allows users to set global controls on how, with whom and what data is shared. Once the initial configuration is complete, users can simply begin searching within PassiveTotal much like they normally would. When data related to a search is found within ThreatExchange, PassiveTotal will display a tab and show the specific data along with who submitted it into the exchange. Additionally, when available, PassiveTotal will automatically extract details such as tags or the status of an indicator, including whether it’s malicious, suspicious, and so on.
For real-time sharing, PassiveTotal can be configured to automatically add findings to ThreatExchange as investigations are being conducted. For example, a group of individuals that know and trust each other can work as an ad-hoc team to help protect their peers' organizations while they are protecting their own company.
Ironically, the move echoes the benefits of social networking itself. “When it comes to data-sharing, we believe that the process should be tightly coupled with research,” said the company, in a blog. “An analyst shouldn't need to adjust their workflow in order to share critical indicators or attack information with others. Data made available to them should show up alongside their search results and content they deem shareable should automatically broadcast to those they trust. In other words, sharing should feel natural.”
Photo © EtiAmmos