Automating National Cyber Threat Intelligence: A Dissemination and Archiving Architecture

In today’s digital ecosystem, the evolution of cyber threats has necessitated a transformation of defense mechanisms from static to dynamic and proactive structures. In cyber incident response processes, the “time” factor is the most critical variable for risk minimization. In an environment where threat actors continuously diversify their attack vectors, the simultaneous and error-free transmission of security notifications published by national authorities to relevant stakeholders constitutes one of the cornerstones of cyber resilience.

This article discusses the processes of collecting, distributing, and archiving data from the National Cyber Incident Response Center (USOM) through specially developed automated workflows, and the strategic importance of this architecture.

The Strategic Role of USOM and the usom0 Project

The National Cyber Incident Response Center (USOM) is the operational hub of Turkey’s cybersecurity strategy. The institution operates as a “central coordination and early warning center” for the detection, analysis, and neutralization of cyber threats on a national scale. The notifications published by USOM are not merely simple alerts but are intelligence data that directly impact the security of critical infrastructures and corporate networks.

This data generally covers the following categories:

• Critical security vulnerabilities and patches (CVE)
• Activities of Advanced Persistent Threat (APT) groups
• Malware analysis reports
• Sector-specific phishing campaigns

Why Automation?

Traditional methods based on manual tracking and human intervention are inadequate in the face of the high volume of data flow and the speed of threats. Manual processes not only create time costs but also introduce the risk of overlooking critical notifications due to the “human error” factor.

Objective: To eliminate information asymmetry and increase the speed of intelligence dissemination.

The automation architecture developed in this context minimizes the human factor, ensuring that data is processed from the moment it is generated at the source (USOM).

Technical Methodology

The developed software operates on the principle of server-based scheduled workflows. The architecture is built on a periodic cycle triggered daily at 00:00. This cycle includes the following steps:

1. Data Mining and Parsing: Unstructured or semi-structured data published on USOM’s official channels are scanned using custom algorithms.
2. Anomaly and Update Control: New data is compared with the existing database to analyze whether a new threat notification has been received.
3. Multi-Channel Dissemination: Newly detected notifications are transmitted through the instant messaging protocols most frequently used by operational teams. The live output of this work can be monitored in real-time on the @usom0 Telegram channel.
4. Static Archiving (Persistence): To ensure data persistence against potential changes on the source website (broken links, content removal), the data is backed up on independent and static platforms like graph.org.

!Telegram Channel Notification Example Figure 1: An instant USOM notification transmitted to the Telegram channel by the automation system.

!graph.org Archive Example Figure 2: The permanent and static archive view of the notification created on graph.org.

Data Integrity and Archiving Strategy

The volatile nature of digital resources makes long-term information storage challenging. Changes in the source authority’s website architecture or revisions in URL configurations can prevent access to historical threat intelligence.

The “shadow archiving” method implemented in this system creates an independent copy of each notification. This approach provides two main advantages:

• Accessibility: The content of the data remains accessible even if the source site becomes unavailable.
• Reference Consistency: Security researchers and CSIRT (Cyber Security Incident Response Team) personnel have stable, unchanging reference points for past case analyses.

Legal Disclaimer

The usom0 project and the underlying software infrastructure have been developed as an independent project, solely for the public benefit and to increase information security awareness. The following points define the terms of use for the system:

1. Data Source and Ownership: All data processed in this system is obtained from the official website of the National Cyber Incident Response Center (USOM), which is publicly available. The ownership and intellectual property rights of the data belong entirely to USOM. This project functions solely as a “mirroring” service to facilitate access, without making any modifications to the data.
2. Logo and Trademark: The USOM logo used in the cover photo of this article and the profile picture of the associated Telegram channel is the registered trademark of the National Cyber Incident Response Center. This project is not affiliated with, sponsored by, or endorsed by USOM. The logo is used for identification purposes only, to indicate the source of the data.
3. Non-Commercial Use: This project is a non-profit, personal research and development (R&D) initiative. No revenue is generated from the system, no advertisements are displayed, and the data is not marketed as part of a commercial product.
4. Software Ownership: The automation software and source codes running in the background of the system are the intellectual property of the project and are kept as closed-source. The shared content is limited to the public benefit it produces (notifications and archives), not the software itself.
5. Limitation of Liability: The automation system is provided “as-is.” The system developer cannot be held responsible for any direct or indirect damages that may arise from technical disruptions on the source site or delays during data transmission. For official and critical actions, USOM’s original website should always be considered the primary reference source.

Individuals who use or follow this system are deemed to have accepted the above conditions.