CISA open-sources Thorium platform for malware, forensic analysis

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) today announced the public availability of Thorium, an open-source platform for malware and forensic analysts across the government, public, and private sectors.

Thorium was developed in partnership with Sandia National Laboratories as a scalable cybersecurity suite that automates many tasks involved in cyberattack investigations, and can schedule over 1,700 jobs per second and ingest over 10 million files per hour per permission group.

“Thorium enhances cybersecurity teams’ capabilities by automating analysis workflows through seamless integration of commercial, open-source, and custom tools,” CISA said on Thursday.

“It supports various mission functions, including software analysis, digital forensics, and incident response, allowing analysts to efficiently assess complex malware threats.”

Security teams can use Thorium for automating and speeding up various file analysis workflows, including but not limited to:

• Easily import and export tools to facilitate sharing across cyber defense teams,
• Integrate command-line tools as Docker images, including open-source, commercial, and custom software,
• Filter results using tags and full-text search,
• Control access to submissions, tools, and results with strict group-based permissions,
• Scale with Kubernetes and ScyllaDB to meet workload demands.

Defenders can find installation instructions and get their own copy of Thorium from CISA’s official GitHub repository.

“By publicly sharing this platform, we empower the broader cybersecurity community to orchestrate the use of advanced tools for malware and forensic analysis,” added CISA Associate Director for Threat Hunting Jermaine Roebuck.

“Scalable analysis of binaries as well as other digital artifacts further enables cybersecurity analysts to understand and address vulnerabilities in benign software.”

On Wednesday, CISA released the Eviction Strategies Tool, which helps security teams during the incident response by providing the necessary actions to contain and evict adversaries from compromised networks and devices.

Last year, the cyber defense agency also made its “Malware Next-Gen” analysis system publicly available, allowing the public to submit malware samples for analysis by CISA.

One year earlier, CISA started offering free security scans for critical infrastructure facilities to help protect them from hacker attacks.