CISA Open-sources Malware and Forensic Analysis Tool Thorium to Public Availability
The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with Sandia National Laboratories, today announced the public release of Thorium, a highly scalable and distributed platform designed for automated file analysis and result aggregation.
The new tool aims to significantly enhance the capabilities of cybersecurity teams by automating complex analysis workflows and integrating a wide array of commercial, open-source, and custom-built tools.
Thorium is engineered to support a variety of critical mission functions, including in-depth software analysis, digital forensics, and incident response.
It provides analysts with a unified system to efficiently assess sophisticated malware threats. Teams that regularly analyze large volumes of files can leverage Thorium to implement scalable automation and index results, streamlining their operations.
“The goal of Thorium is to enable cyber defenders to bring automation to their existing analysis workflows through simple tool integration and intuitive event-driven triggers,” CISA stated in its announcement.
Key features of the platform include its capacity for easy tool integration, allowing analysts to incorporate command-line tools as Docker images.
It also offers powerful filtering of results through tags and full-text searches, and ensures security with strict group-based permissions controlling access to submissions, tools, and results.
| Feature | Description |
|---|---|
| Easy Tool Integration | Integrate command-line tools as Docker images, including open-source, commercial, and custom tools. |
| Filtering | Filter analysis results using tags and full-text search for efficient data handling. |
| Security | Enforce group-based permissions to control access to submissions, tools, and results. |
| Scalability | Supports high workload demands using Kubernetes and ScyllaDB; can ingest over 10 million files/hour per group. |
| Pipelining | Define event triggers and execution sequences to automate workflows. |
| Workflow Integration | Control the platform via RESTful API, web interface, or command-line utility for seamless workflow. |
| Result Aggregation | Aggregate and index tool outputs for deeper analysis and integration with downstream processes. |
| Tool Sharing | Import and export tools easily for sharing across cyber defense teams. |
One of Thorium’s most notable attributes is its immense scalability. Built to grow with hardware demands using Kubernetes and ScyllaDB, the platform is configured to ingest over 10 million files per hour for each permission group and can schedule more than 1,700 jobs per second, all while maintaining fast query performance for results.
The platform allows users to define event triggers and tool execution sequences to automate entire workflows. It can be fully controlled via a RESTful API and offers a web-based interface or a command-line utility for easy access.
Furthermore, Thorium aggregates and indexes tool outputs, preparing them for deeper analysis or for use by other downstream processes.
Example use cases highlighted by CISA include triaging malware with static and dynamic analysis tools, automatically processing host forensic artifacts like emails and memory images, and conducting performance assessments of various tools on benchmark datasets.
CISA encourages cybersecurity teams to adopt Thorium. Deploying the platform requires a Kubernetes cluster, block store, and object store, as well as familiarity with Docker containers. The agency is actively seeking feedback from users to further enhance Thorium’s capabilities.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
Source link
