For the better part of a decade, dozens of Sandia engineers, each working on pieces of a new national security tool alongside federal partners, have revolutionized cybersecurity forensics with the Thorium platform and tool suite.

Thorium, which was deployed in 2023, automates the most laborious tasks involved with investigating a cyberattack, giving highly trained analysts the ability to focus on thwarting advanced persistent threats from around the world.

“You could imagine how the advent of artificial intelligence and the proliferation and amount of data that exists on the internet enables adversaries,” project manager Kevin Hulin said. “Basically, anyone can develop malware. The threats are becoming much more voluminous. The threat is significant, and the need for automation is real.”

Finding a new way to thwart threats

Sandia recognized this fact in 2017, starting the work on automated malware analysis with a Laboratory Directed Research and Development project. Seeing the promise of the work, the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security became a sponsor, establishing the Threat Focused Reverse Engineering project.

The complexity of the malware threats and skill of the adversaries trying to unbalance the nation is also increasing, necessitating a nontraditional toolset — one that is able to pick apart malware.

“Historically this has been a very manual effort,” said current project lead Evan Roncevich. “What we wanted to address with TFRE were the difficult parts of reverse-engineering the malware and allow the analysts to better leverage automation in order to handle the complexity and larger volume of malware they are seeing.”

Advanced persistent threats

Analysts must break down a large piece of malware to figure out how it works, what artifacts it leaves behind and how to prevent it in the future. The stakes to get this analysis right and get it fast could not be higher, because advanced persistent threats — adversaries that have the funds, staff and infrastructure to threaten America and the patience to plan and execute attacks over long periods of time — continue to advance their digital weaponry.

“These are adversaries that can build malware with much more complexity than just some random individuals or small black-market organizations,” Evan said, adding that analysts must use today’s data to imagine future threats since those adversaries are continuing to escalate both the complexity and volume of their assaults.

In 2020, the Russian Foreign Intelligence Service executed a supply-chain based cyberattack against the SolarWinds IT Management platform, “giving [attackers] the ability to spy on and potentially disrupt more than 16,000 computer systems worldwide.”

“When the SolarWinds attack happened, the early response was to look through network logs and figure out what got compromised and when. These indicators of compromise are examples of threat intelligence that defenders use to discover and prevent further malicious activity,” Evan said. “These events and responses become critical to developing new forensics tools because you can develop and test these tools on what defenders are actually seeing in the wild.”

The Cybersecurity and Infrastructure Security Agency’s mission to respond to and triage cyber incidents relies upon creative investments into new data collection, analysis and pattern discovery capabilities such as Threat Focused Reverse Engineering develops to revolutionize its approach to malware analysis threat intelligence discovery.

“We’re really talking about the importance of threat intelligence — understanding the threat and who has been affected,” Evan said. “What consequences may have been realized that we otherwise would be unaware of?”

From research to real-world

But it is not a simple matter to generate new tools to counter new methods. The time involved in such analysis, coupled with the increasing complexity and number of attacks, made it necessary for Sandia’s engineers to solve problems that hadn’t yet been solved to breathe life into the Threat Focused Reverse Engineering suite.

“There were a number of more basic research challenges that were identified while the TFRE suite was being built,” deputy project lead Jina Lee said. That’s when the team connected with the Department of Homeland Security Science and Technology Directorate to help answer some fundamental reverse engineering questions that had yet to be researched. The answers turned into building blocks for the suite.

“There were cases where the TFRE tool was not able to even start the analysis,” Jina continued. “A sister project that was funded by the Science and Technology Directorate would then focus on that particular problem and develop solutions so that the TFRE tool could overcome that technical barrier. We took the capabilities to the next level to go beyond the big research roadblocks and advance the tools.”

For example, the Science and Technology Directorate has supported the advancement of a tool developed by Sandia that allows analysts to find a sample they suspect is bad, put it in through the system and connect it to another sample that’s already been attributed to some advanced persistent threat.

“We were taking these academic, cutting-edge research approaches and attempting to apply them to real-world examples. But they were failing,” Kevin added. “Our partnership with the Science and Technology Directorate helped us take these advancements in areas like abstract interpretation and machine learning and bring them to bear in new ways for software analysis.”

One team, one goal

Evan said that Sandia also engaged Cybersecurity and Infrastructure Security Agency analysts almost the entire way, building a true partnership through one project.

“We realized that building the capability was only half the problem,” Evan said. “The other half was making it actually human-usable so the analysts would want to use it. Their feedback was really important for us in integrating into their types of workflows instead of just building a tool and hoping that they would use it.”

Developing widespread APP-eal

The team hopes to make the tools developed through Thorium available to a variety of federal agencies and platforms. They envision an environment akin to an app store where analysts, researchers and developers can build, deploy and share their own tools across communities.

“This is a first step toward building a true community across the federal government and partners to build, develop and collaborate on advanced malware analysis capabilities,” Kevin said. “Our vision is that this is adopted as a standard for deploying malware analysis capabilities writ large.”

“Standardizing the way that tools get shared across the different agencies is ideal,” Evan said, “because once you do that then it becomes a lot easier to do this app store idea. Then agencies can quickly get their hands on the latest and greatest malware analysis capabilities, TFRE or otherwise.”

Eyes on the future

The team continues to work with the Cybersecurity and Infrastructure Security Agency to refine Thorium.

“Over the next year, we’re going to be working with engineering contractors to get it fully integrated into their production operation environment,” Kevin said. “We are excited to continue this relationship, share these capabilities and improve them as we need them.”

“There is an ever-growing threat of malware that the U.S. deals with — more complicated malware and more volume of malware,” Evan said. “A lot of the capabilities in Thorium can do malware analysis in ways that didn’t exist before us. Ways that will hopefully make the nation a lot safer.”