CISA unveils free Thorium malware analysis platform

Cyber defenders will now have access to a new free malware analysis platform thanks to the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy’s Sandia National Laboratories.

On Thursday, the organizations announced the release of Thorium, an automated malware and forensic analysis platform that CISA says can “integrate commercial, custom and open-source analysis tools and enable cyber defenders to quickly assess malware threats and index forensic analysis results into a unified platform.”

The goal of Thorium is to enable cyber defenders to bring automation to their existing analysis through simple tool integration and event-driven triggers, CISA said, adding that it is built to support cybersecurity teams across mission functions — from software analysis to digital forensics to incident response.

Mike Compton, deputy section chief of code & media analysis at CISA, told Recorded Future News they have been working with Sandia National Laboratories for years on ways to streamline CISA’s work. Compton’s office provides malware analysis services to the entire federal community and to critical infrastructure organizations.

One of the key challenges they face is the broad range of malware they deal with that require specialized tools able to analyze specific capabilities, functions or elements. New malware is constantly being deployed by adversaries, forcing defenders to repeatedly develop new ways to analyze malware. 

“We're constantly developing new tools, or acquiring new tools to do this kind of thing, and one of the problems we face is organizing and applying these tools in an effective fashion,” Compton said. “Sandia has helped us identify that and took a crack at helping us develop a solution to make that job easier.”

Thorium is customizable and allows defenders to use a single platform to automate analysis, examine large amounts of malware quickly and remove or add tools as threats evolve. 

Michael Carson, a cybersecurity engineer at Sandia National Laboratories, led the creation of Thorium and said the goal was to reduce the cost and time associated with malware analysis — which can be burdensome for many organizations. 

Both Compton and Carson believe malware analysts will find the most use for the tool initially but foresee a future where a wider audience of IT professionals will see value in it, particularly those who don't have in-house malware analysis capability.

“They can use this tool to knock out a lot of the low-hanging fruit and do a lot of the automated, quick analysis they need to do to get indicators so they can mitigate the threats that are targeting their networks,” Compton said. 

Compton explained that his office works with many federal malware analysis teams that face similar issues that they do — many of which can be solved by Thorium. 

“Thorium is not a silver bullet. It's not going to solve all your problems. It's not going to end the malware threat tomorrow, but it is a step forward in establishing a platform that the entire community can use and we can all contribute to, which is going to help us share tools, share capability, share analysis,” he said. 

“And if we can do that, if we can start to collaborate more and share these tools and get on the same page, that's only going to strengthen us and help us mitigate the threat.”

CISA Associate Director for Threat Hunting Jermaine Roebuck added that they wanted to make the platform free to “empower the broader cybersecurity community to orchestrate the use of advanced tools for malware and forensic analysis.” 

“In addition, scalable analysis of binaries as well as other digital artifacts further enables cybersecurity analysts to understand and address vulnerabilities in benign software,” he said.

CISA has released several other free platforms built to help defenders including an Eviction Strategies Tool that helps defenders create tailored response plans and adversary eviction strategies within minutes.