LIVERMORE, Calif. — A cybersecurity platform developed at Sandia National Laboratories to detect and analyze advanced malware threats is now publicly available, giving defenders across the public and private sectors access to tools previously used to help safeguard U.S. national security.
The platform, known as Thorium, is the product of a yearslong partnership between Sandia and the Cybersecurity and Infrastructure Security Agency. Since 2017, the joint Threat-Focused Reverse Engineering project has produced software analysis tools designed to counter the increasingly complex cyber threats targeting government systems and critical infrastructure.
As attackers continue to deploy more advanced malware, cyber defenders need to integrate a growing arsenal of analysis tools, along with legacy ones, to keep pace. Thorium addresses that challenge by serving as a central nervous system of this toolset, supporting automation and data processing. It allows cyber analysts to efficiently assess, triage and prioritize threats using a range of commercial, custom and open-source tools.
A history of battling malware
Thorium builds on decades of cybersecurity research at Sandia. In 2007, the Labs launched the FARM database, which has operated continuously since and now stores nearly 300 million malware samples, with projections it may surpass 1 billion within the next decade. FARM relies on Thorium to enable the rapid analysis needed to manage this influx of new samples.
“Thorium is the latest iteration in a series of platforms and tools Sandia has developed to automate malware analysis,” said Michael Carson, lead developer. “The team has learned a lot over that time, and Thorium is the end result.”
According to Carson, Thorium is “almost infinitely scalable” and built for “massive automation and customization.”
A tool for the broader community
With the release of Thorium as open-source, Sandia is making it easier for organizations to adopt a common foundation for malware analysis.
The platform is built on Google’s Kubernetes container management system, which helps automate the scaling and deployment of software applications. By using an industry-standard format, Thorium allows security teams to easily develop, package and share tools across the malware analysis community.
“Enabling easy sharing and integration of malware analysis capabilities is the primary driver for open sourcing the Thorium platform,” said Kevin Hulin, capability manager. “By offering a baseline platform for free, we hope tool developers begin adopting it as a standard for how tools are deployed. That way, researchers can spend more time developing tools and less time solving system integration problems.”
Sandia is also applying machine learning to help process the massive volumes of data collected through the toolset, further accelerating analysis and insights.
Thorium is available for download through CISA’s GitHub repository.