CISA Launches Automated Malware Analysis Platform
To help cyber defenders automate workflows at scale, the Cybersecurity and Infrastructure Security Agency (CISA) has announced its launch of a new file analysis platform. Named Thorium, the platform uses commercial, open-source and custom tools to support cybersecurity teams across all industries.
The initiative was developed in partnership with the Intelligence Advanced Research Projects Activity (IARPA) and Sandia National Laboratories.
“The Thorium framework underscores CISA's focus and commitment to provide valuable services and resources at scale that help government and critical infrastructure protect against cyber threats and strengthen their cybersecurity,” said CISA's associate director for threat hunting, Jermaine Roebuck. “By publicly sharing this platform, we empower the broader cybersecurity community to orchestrate the use of advanced tools for malware and forensic analysis.”
With Thorium, cybersecurity teams have the ability to fuse preferred tools into a single automated workflow platform, which will detect and analyze malware at a rapid pace. Additionally, the platform will add and remove tools as threats evolve.
“Thorium is configured to ingest over 10 million files per hour per permission group and schedule over 1,700 jobs per second, while maintaining a fast results query,” the CISA press release stated.
Other platform features include user-friendly interfaces, near zero-cost analysis tool integration, full-text analysis results search and more. According to a fact sheet posted on CISA’s website, analysts can use Thorium for easy tool integration, filtering, security, scalability, pipelining, workflow integration, results aggregation and tool sharing.
"Thorium is a big step forward for scalable malware and forensic analysis," GovDash's senior GTM enablement and programs manager, Brittany Winkler, told SIGNAL Media. "It gives security teams, both in government and industry, a more automated, structured way to handle massive file volumes. From a GovCon [government contracting] lens, it helps close the gap between mission needs and available resources by making advanced analysis more accessible and repeatable."
As prerequisites, Thorium requires a deployed Kubernetes cluster, block store and object store. Additionally, familiarity with Docker containers and computer cluster management is needed.
“With our partners at Sandia National Laboratories, we are enabling analysts nationwide to contribute insights and benefit from shared knowledge. Scalable analysis of binaries as well as other digital artifacts further enables cybersecurity analysts to understand and address vulnerabilities in benign software,” Roebuck said.
Learn more about Thorium and its capabilities.
Comments