CISA Announces Release of Thorium for Malware Analysis
WASHINGTON –Today, the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with Sandia National Laboratories, released Thorium, an automated, scalable malware and forensic analysis platform that can integrate commercial, custom and open-source analysis tools and enable cyber defenders to quickly assess malware threats and index forensic analysis results into a unified platform.
Advanced persistent threats using malware continue to increase in volume and complexity. The analysis of malware and forensics must be done accurately and quickly to enable organizations to defend their networks. However, malware analysts across government, public and private sectors are challenged with vast amounts of malware and managing a long list of malware analysis tools with specific capabilities and not enough time and resources to effectively analyze the threat.
Thorium allows cyber defenders to integrate their preferred tools into a single platform that orchestrates customized and automated analysis workflows at scale, analyze large amounts of malware quickly, and to add and remove tools quickly as malware threats evolve. Thorium is configured to ingest over 10 million files per hour per permission group and schedule over 1,700 jobs per second, while maintaining a fast results query.
"The Thorium framework underscores CISA's focus and commitment to provide valuable services and resources at scale that help government and critical infrastructure protect against cyber threats and strengthen their cybersecurity. By publicly sharing this platform, we empower the broader cybersecurity community to orchestrate the use of advanced tools for malware and forensic analysis,” said CISA Associate Director for Threat Hunting Jermaine Roebuck. “With our partners at Sandia National Laboratories, we are enabling analysts nationwide to contribute insights and benefit from shared knowledge. Scalable analysis of binaries as well as other digital artifacts further enables cybersecurity analysts to understand and address vulnerabilities in benign software."
Cybersecurity teams with frequent file analysis workflows can use Thorium to:
- Integrate command-line tools as docker images (free and open-source software, commercial off-the-shelf, custom, etc.). With additional configuration, integrate virtual machine and bare-metal tools.
- Filter tool results using tags and full-text search.
- Control how submissions, tools, and results are accessible by using strict group-based permissions.
- Scale with hardware using the power of Kubernetes and ScyllaDB to meet workload requirements.
- Import and export tools for ease of sharing across cyber defense teams.
For more information and installation instructions, visit Thorium on CISA.gov. For more cybersecurity services offered by CISA, visit Free Cybersecurity Services & Tools.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.