A cybersecurity platform developed at Sandia to detect and analyze advanced malware threats is now publicly available, giving defenders across the public and private sectors access to tools currently used to help safeguard U.S. national security.

The platform, known as Thorium, is the product of a yearslong partnership between Sandia and the Cybersecurity and Infrastructure Security Agency. Since 2017, the joint Threat-Focused Reverse Engineering project has produced software analysis tools designed to counter increasingly complex cyber threats targeting government systems and critical infrastructure.

As attackers continue to deploy more advanced malware, cyber defenders need to integrate a growing arsenal of analysis tools to keep pace. Thorium addresses that challenge by serving as a central nervous system of this toolset, supporting automation and data processing. It allows cyber analysts to efficiently assess, triage and prioritize threats using a range of commercial, custom and open-source tools.

A history of battling malware

Thorium builds on decades of cybersecurity research at Sandia. In 2007, the Labs launched the Forensic Analysis Repository for Malware database, which has operated continuously since and now stores nearly 300 million malware samples, with projections it may surpass 1 billion within the next decade. FARM relies on Thorium to enable the rapid analysis needed to manage this influx of new samples.

“Thorium is the latest iteration in a series of platforms and tools Sandia has developed to automate malware analysis,” lead developer Michael Carson said. “The team has learned a lot over that time, and Thorium is the end result.”

According to Michael, Thorium is “almost infinitely scalable” and built for “massive automation and customization.”

A tool for the broader community

With the release of Thorium as open-source, Sandia is making it easier for organizations to adopt a common foundation for malware analysis.

The platform is built on Google’s Kubernetes container management system, which helps automate the scaling and deployment of software applications. By using an industry-standard format, Thorium allows security teams to easily develop, package and share tools across the malware analysis community.

“Enabling easy sharing and integration of malware analysis capabilities is the primary driver for open sourcing the Thorium platform,” capability manager Kevin Hulin said. “By offering a baseline platform for free, we hope tool developers begin adopting it as a standard for how tools are deployed. That way, researchers can spend more time developing tools and less time solving system integration problems.”

Sandia is also applying machine learning to help process the massive volumes of data collected through the toolset, further accelerating analysis and insights.

Thorium is available for download through CISA’s GitHub repository.