CYBERSECURITYCybersecurity Suite Now on Duty Defending the Nation

By Michael Ellis Langley

Published 16 September 2024

For the better part of a decade, dozens of Sandia engineers, each working on pieces of a new national security tool alongside federal partners, have revolutionized cybersecurity forensics with the Thorium platform and tool suite.

Thorium, which was deployed in 2023, automates the most laborious tasks involved with investigating a cyberattack, giving highly trained analysts the ability to focus on thwarting advanced persistent threats from around the world.

“You could imagine how the advent of artificial intelligence and the proliferation and amount of data that exists on the internet enables adversaries,” project manager Kevin Hulin said. “Basically, anyone can develop malware. The threats are becoming much more voluminous. The threat is significant, and the need for automation is real.”

Finding a new way to thwart threats

Sandia recognized this fact in 2017, starting the work on automated malware analysis with a Laboratory Directed Research and Development project. Seeing the promise of the work, the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security became a sponsor, establishing the Threat Focused Reverse Engineering project.

The complexity of the malware threats and skill of the adversaries trying to unbalance the nation is also increasing, necessitating a nontraditional toolset — one that is able to pick apart malware.

“Historically this has been a very manual effort,” said current project lead Evan Roncevich. “What we wanted to address with TFRE were the difficult parts of reverse-engineering the malware and allow the analysts to better leverage automation in order to handle the complexity and larger volume of malware they are seeing.”

Advanced persistent threats

Analysts must break down a large piece of malware to figure out how it works, what artifacts it leaves behind and how to prevent it in the future. The stakes to get this analysis right and get it fast could not be higher, because advanced persistent threats — adversaries that have the funds, staff and infrastructure to threaten America and the patience to plan and execute attacks over long periods of time — continue to advance their digital weaponry.

“These are adversaries that can build malware with much more complexity than just some random individuals or small black-market organizations,” Evan said, adding that analysts must use today’s data to imagine future threats since those adversaries are continuing to escalate both the complexity and volume of their assaults.

In 2020, the Russian Foreign Intelligence Service executed a supply-chain based cyberattack against the SolarWinds IT Management platform, “giving [attackers] the ability to spy on and potentially disrupt more than 16,000 computer systems worldwide.”