Cybersecurity Suite Now on Duty Defending the Nation

“When the SolarWinds attack happened, the early response was to look through network logs and figure out what got compromised and when. These indicators of compromise are examples of threat intelligence that defenders use to discover and prevent further malicious activity,” Evan said. “These events and responses become critical to developing new forensics tools because you can develop and test these tools on what defenders are actually seeing in the wild.”

The Cybersecurity and Infrastructure Security Agency’s mission to respond to and triage cyber incidents relies upon creative investments into new data collection, analysis and pattern discovery capabilities such as Threat Focused Reverse Engineering develops to revolutionize its approach to malware analysis threat intelligence discovery.

“We’re really talking about the importance of threat intelligence — understanding the threat and who has been affected,” Evan said. “What consequences may have been realized that we otherwise would be unaware of?”

From research to real-world

But it is not a simple matter to generate new tools to counter new methods. The time involved in such analysis, coupled with the increasing complexity and number of attacks, made it necessary for Sandia’s engineers to solve problems that hadn’t yet been solved to breathe life into the Threat Focused Reverse Engineering suite.

“There were a number of more basic research challenges that were identified while the TFRE suite was being built,” deputy project lead Jina Lee said. That’s when the team connected with the Department of Homeland Security Science and Technology Directorate to help answer some fundamental reverse engineering questions that had yet to be researched. The answers turned into building blocks for the suite.

“There were cases where the TFRE tool was not able to even start the analysis,” Jina continued. “A sister project that was funded by the Science and Technology Directorate would then focus on that particular problem and develop solutions so that the TFRE tool could overcome that technical barrier. We took the capabilities to the next level to go beyond the big research roadblocks and advance the tools.”

For example, the Science and Technology Directorate has supported the advancement of a tool developed by Sandia that allows analysts to find a sample they suspect is bad, put it in through the system and connect it to another sample that’s already been attributed to some advanced persistent threat.

“We were taking these academic, cutting-edge research approaches and attempting to apply them to real-world examples. But they were failing,” Kevin added. “Our partnership with the Science and Technology Directorate helped us take these advancements in areas like abstract interpretation and machine learning and bring them to bear in new ways for software analysis.”

One team, one goal

Evan said that Sandia also engaged Cybersecurity and Infrastructure Security Agency analysts almost the entire way, building a true partnership through one project.

“We realized that building the capability was only half the problem,” Evan said. “The other half was making it actually human-usable so the analysts would want to use it. Their feedback was really important for us in integrating into their types of workflows instead of just building a tool and hoping that they would use it.”

Developing widespread APP-eal

The team hopes to make the tools developed through Thorium available to a variety of federal agencies and platforms. They envision an environment akin to an app store where analysts, researchers and developers can build, deploy and share their own tools across communities.

“This is a first step toward building a true community across the federal government and partners to build, develop and collaborate on advanced malware analysis capabilities,” Kevin said. “Our vision is that this is adopted as a standard for deploying malware analysis capabilities writ large.”

“Standardizing the way that tools get shared across the different agencies is ideal,” Evan said, “because once you do that then it becomes a lot easier to do this app store idea. Then agencies can quickly get their hands on the latest and greatest malware analysis capabilities, TFRE or otherwise.”

Eyes on the future

The team continues to work with the Cybersecurity and Infrastructure Security Agency to refine Thorium.

“Over the next year, we’re going to be working with engineering contractors to get it fully integrated into their production operation environment,” Kevin said. “We are excited to continue this relationship, share these capabilities and improve them as we need them.”

“There is an ever-growing threat of malware that the U.S. deals with — more complicated malware and more volume of malware,” Evan said. “A lot of the capabilities in Thorium can do malware analysis in ways that didn’t exist before us. Ways that will hopefully make the nation a lot safer.”

Michael Ellis Langley is on the media staff at Sandia National Laboratories in Livermore. The article was originally posted to the website of the Sandia National Laboratories.