STM Cyber Fusion Center Intercepting Cyber Threats

The STM Cyber Fusion Center (CFC) is capable of proactively detecting cyber threats, taking preventive actions which protects critical technology and data assets. It orchestrates and coordinates the security functions and information flow from threat intelligence, through security and IT operations, increasing operational effectiveness, improving security readiness by preventing or neutralizing attacks through the timely delivery of tactical cyber threat intelligence with relevant indicators of compromise. The CFC opened its doors to members of the media from the defense industry sector. At the event, STM Deputy General Manager Mr. Ömer Korkut and the executives of the Fusion Center clarified questions from media as they facilitated the tour and showcased aspects of vulnerability management, cyber threat intelligence, threat defense operation, the cyber operation center and rapid reaction team capabilities

Date: Issue 73 - April 2017

The center, which was inaugurated on 17 May 2016 as Turkey’s exclusive Cyber Fusion Center, has provided services to approximately 10 public corporations and private institutions to date. The infrastructures of various technologies such as big data, security, malware analysis, monitoring imaging and communication operate in an integrated manner at the center. A variety of complicated processes are monitored by a devoted team with specific skill sets, available 24/7. The team is engaged in reacting to threats, analyzing and tracing them in the event of an emergency, reporting and evaluation of the intelligence.  STM Deputy General Manager Mr. Ömer Korkut stated that as it is the sole cyber fusion center in Turkey and also that there are very few in the world, the center is a critical investment and added, “STM has been investing heavily in cyber security for almost 5 years, we have been conducting projects and reinforcing our human resources”. 

STM Deputy General Manager Mr. Ömer Korkut: “We aim to intercept cyber attacks in advance of the emerging threat”

The Cyber Fusion Center is comprised of three core components: the Cyber Operation Center (COC), Cyber Intelligence Center (CIC) and the Malware Analysis Laboratory.

The operation center monitors the systems on a 24/7 basis. The processes such as the monitoring of network traffic, real-time tracking, risk perception, controlling known vulnerability data bases, evaluating the fields where the vulnerabilities are exploited, controlling the existence of vulnerabilities in the systems, and taking the necessary actions in order to react to incidents are part of the daily routine of the cyber operation center. The Rapid Reaction Team plays a critical role in fulfilling the following crucial tasks; they get in contact with data processing unit during cyber-attacks to systems, block-off authorized devices in cases where remote intervention is required, and they convey the information to the proper authorities in the case of emergency.

The corner stone of the center, the Cyber Intelligence Center, plays a critical role in the identification of cyber threats against the institution to which the service is provided. In this unit, the data existing either in open source or hidden in the deep web or dark web where standard users cannot typically access, the data are gathered through software developed by the STM engineers and evaluated, interpreted and then transformed into intelligence. 

STM Deputy General Manager Mr. Ömer Korkut stated that they are able to prevent the incidents from occurring in cyberspace at that point when they turn the data into intelligence and continued, “Concerning cyber security, if we fuse the intelligence at the right time with the right resources, we are able to block the cyber-attacks just like the prevention of conventional attacks through intelligence. This is our starting point in this cyber fusion center”.

Cyber Intelligence Center Tracks Hacker Groups

The STM Cyber Security and Big Data R&D Group Manager Dr. Umut Demirezen stated that they gather concepts such as big data and artificial intelligence and deep learning together with the technology they indigenously developed and added, “We are capable of closely monitoring hacker groups, within the big data platform that we enhanced. Hacker groups have to gather their team while in the readiness stage in advance of the attack, and their communication with each other certainly leaves a trace. These traces are pursued and grouped, all the communication with a similar approach and tendency are classified and tracked. In this way, we are able to figure out their methods and this enables the advance notification of the intelligence to clients as well our servers. We have achieved the development of unique systems through software, analysis and methods at this center”. 

Emphasizing that DDOS attacks have become a trend recently, Dr. Demirezen commented that they warded off attacks against clients in the past. They detected in advance malware that is procurable on the black market.  Such malware may leak into systems and could be used similarly in cyber-attacks through the instrument of this unit and as such they have successfully generated an antidote for this at the malware analysis laboratory. 

Upon the question of whether any attacks were made to the institutions that they were providing services since the launch of the center, STM Deputy General Manager Mr. Ömer Korkut remarked, “There are institutions in the Defense Sector to which we provide services. The institutions with critical infrastructure become the target of  cyber-attacks. Our institutions such as the Ministry of Energy, Ministry of Transportation and Ministry of Health, with massive investments and storing of personal information, are exposed to cyber-attacks. On the other hand, the finance sector is hanging by a thread. As you may recall, during cyber-attack to Estonia in 2007 the financial infrastructure collapsed. In regard to these sectors, we detected critical points in the past and we shared these deficiencies with the clients so that they could take measures accordingly.

When the cyber intelligence turns into a threat, becomes a cyber-attack and an incident, the Cyber Operation Center steps in at the center. The data is monitored in real time at the cyber operation center by the analysts.

Cyber Security and Big Data Manager Dr. Türker Yılmaz stated that harmful traffic as well as traffic flow and volume are instantly monitored by the analysts at the cyber operation center and that they have significant capabilities and added, “For instance, if a user in Ankara is logged in at the same time at another location in the world then this may mean that his account has been hacked. We are capable of detecting such abnormalities as well. We have graphic screens through which we monitor the flow of harmful traffic; from which country it flows, into which IP address it penetrates, to which port and which IP of the customers to which it arrives. We direct the abnormalities that we detect in this unit by the way the second level analysts and identify the abnormality. The details are probed by our analysts at the second level. If any malware is in question then we dispatch it to the malware analysis laboratory for work through ”. 

Throughout the screening, activities are completed such as: the identification of vulnerabilities of client systems and their periodical reporting, evaluation of the identified vulnerabilities and transfer of the measures required to be adopted against the leaks and penetration test services are under the responsibility of the vulnerability management. One of the most important units completing this cycle is the Malware Analysis Laboratory in which the Malware is analyzed. A biopsy of the detected malware is conducted here. When the malware is identified, removed from the system and brought to the laboratory, its behaviors are detected in an isolated environment or in an environment with restricted internet access. In this laboratory, the static and dynamic malware analysis of the different operating systems and mobile platforms are performed on virtual or physical platforms. The team assigned at the center can conduct specific analysis, over only the code for weeks, determining the intended purpose of the malware, where it was generated and what kind of damage it could cause the system. If the detected software contains a zero-day risk or has not been seen before, then the relevant signature generation is again conducted at this laboratory. The signature generated is then imported to the protection systems of the institution and this system’s recognition of the malware attack and thus enabling an automatic block of all traffic.

A team of 6 expert analysts are dedicated to the Malware Analysis Laboratory of the STM Cyber Fusion Center. For the time being, the number of employees is 37, consisting of cyber security experts, threat analysis experts, legal advisor for legal transactions, specialists for industrial intelligence and administrators. The number of staff is expected to increase in relation to the needs clients at home and abroad in the upcoming period.