Sandia team that developed Thorium includes, from right, project lead Evan Roncevich, project manager Kevin Hulin, lead developer Michael Carson and programmers Gavin Baker and Jake Hamzawi. (Photo by Randy Wong)
A cybersecurity platform, under development for eight years at Sandia National Laboratories to detect and analyze advanced malware threats, is now publicly available, giving defenders in the public and private sectors access to tools currently used to help safeguard U.S. national security.
The platform, known as Thorium, is the product of a yearslong partnership between Sandia and the Cybersecurity and Infrastructure Security Agency. Since 2017, the joint Threat-Focused Reverse Engineering project has produced software analysis tools designed to counter increasingly complex cyber threats targeting government systems and critical infrastructure.
As attackers continue to deploy more advanced malware, cyber defenders need to integrate a growing arsenal of analysis tools to keep
pace. Thorium addresses that challenge by serving as a central nervous system of this toolset, supporting automation and data processing. It allows cyber analysts to efficiently assess, triage and prioritize threats using a range of commercial, custom and open-source tools.
Thorium builds on decades of cybersecurity research at Sandia. In 2007, the labs launched the Forensic Analysis Repository for Malware database, which has operated continuously since and now stores nearly 300 million malware samples, with projections it may surpass 1 billion within the next decade. FARM relies on Thorium to enable the rapid analysis needed to manage this influx of new samples.
“Thorium is the latest iteration in a series of platforms and tools Sandia has developed to automate malware analysis,” lead developer Michael Carson said. “The team has learned a lot over that time, and Thorium is the end result.”
According to Carson, Thorium is “almost infinitely scalable” and built for “massive automation and customization.”
According to a story in The Independent, a news pubication covering the Livermore, CA, area, Thorium coding and testing happens at Lawrence Livermore National Laboratory.
“This is where everyone on the team works. It’s where all of the internal high-performance computers we use are located,” Carson told The Independent.
Sandia is also applying machine learning to help process the massive volumes of data collected through the toolset, further accelerating analysis and insights.
With the release of Thorium as open-source, Sandia hopes to make it easier for organizations to adopt a common foundation for malware analysis.
The platform is built on Google’s Kubernetes container management system, which helps automate the scaling and deployment of software applications. By using an industry-standard format, Thorium allows security teams to develop, package and share tools across the malware analysis community.
“Enabling easy sharing and integration of malware analysis capabilities is the primary driver for open sourcing the Thorium platform,” capability manager Kevin Hulin said. “By offering a baseline platform for free, we hope tool developers begin adopting it as a standard for how tools are deployed. That way, researchers can spend more time developing tools and less time solving system integration problems.”
Thorium is available for download through CISA’s GitHub repository.
source: Michael Ellis Langley, Sandia Labs
