🌐 Language ▾
🇬🇧 English 🇹🇷 Türkçe

Kategori: Cyber Warfare & Hybrid Threats

Cyber Warfare and Hybrid Threats category focused on digital conflicts, cyber warfare ecosystems, hybrid operations, information warfare, state-sponsored threats, and strategic cyber operations.

  • Infrastructure Security Against State-Sponsored Cyber Attacks

    Infrastructure Security Against State-Sponsored Cyber Attacks

    Infrastructure Security Against State-Sponsored Cyber Attacks

    Article No: 3500
    Category: Cyber Security
    Author: Ömer Akın | Founder and Strategic Intelligence Director, Quantum Intelligence Hub (QIH)

    What happens if a country’s power grid collapses? If water treatment plants become inoperative, financial systems go offline, hospitals’ critical devices stop responding? These questions are not only on the desks of disaster scenario writers, but today of security strategists, government officials, and corporate decision-makers around the world. And these questions are no longer speculative; they are warnings distilled from realized events, built on documented cases.

    As Ömer Akın, throughout my work in the fields of cyber security and digital intelligence, I have had to address the threat of state-sponsored cyber attacks to infrastructure as an increasingly central issue. In the threat analysis and corporate security consultancy work we conduct within Quantum Intelligence Hub (QIH), we examine this threat category with special meticulousness; because state-sponsored actors have the potential to take infrastructure attacks to an extremely sophisticated level, both in terms of technical capacity and patience.

    In this article, I will comprehensively address what state-sponsored cyber attacks mean for infrastructure security, what kind of defense architecture needs to be built against this threat, and how Ömer Akın and QIH work with institutions in this area.

    State-Sponsored Cyber Attacks: What Makes Them Different

    There are many ways to categorize threat actors in the cyber security world. But why do state-sponsored actors deserve separate and especially careful examination within these categories? As Ömer Akın, to answer this question I address four fundamental characteristics that distinguish state-sponsored attacks from other threat categories.

    First is resource superiority. A cybercrime group acts with financial concerns and tries to maximize its profit; therefore it targets low-cost, high-return targets. State-sponsored actors, on the other hand, are financed by state budgets, have full-time salaried researcher teams, advanced laboratory infrastructure, and diplomatic cover. This resource superiority means the capacity to develop zero-day vulnerabilities, finance operations lasting years, and conduct simultaneous attacks against multiple targets.

    Second is patience and long-term planning. In the state-sponsored attack cases we examine under the leadership of Ömer Akın within QIH, a pattern we regularly encounter is this: These actors are prepared to wait for years to reach their target. Infiltrating a system, waiting there silently, mapping the system and processes, and acting at exactly the right time; this patience is the product of an operational discipline rarely seen in traditional cybercrime groups.

    Third is the presence of strategic objectives. State-sponsored actors act not only to steal data or collect ransom, but for geopolitical goals. Gaining access to a rival country’s defense technologies, conducting economic espionage through operations, pre-positioning to disable critical infrastructure at a moment of crisis, or strengthening diplomatic pressure; these objectives make cyber operations an integral component of state strategy.

    Fourth is deniability capacity. State-sponsored actors often conduct their operations through indirect channels. Leveraging the infrastructure of third countries, using criminal groups or hacktivist organizations as a front, and designing attack tools to mimic the signature of other actors; these techniques make attribution extremely difficult and provide the attacking state with diplomatic maneuvering room. As Ömer Akın and QIH, we argue that our investment in attribution processes is critical for precisely this reason.

    Defining Critical Infrastructure and Why It Is Such an Attractive Target

    The concept of critical infrastructure encompasses the systems and assets indispensable for the functionality of modern society. Energy generation and distribution networks, water and wastewater management systems, financial services infrastructure, transportation and logistics networks, health and emergency service systems, communications and internet backbone, government and public services, and defense systems constitute the main components of this scope.

    The common characteristic of these systems is their potential to affect others in a cascading manner when one collapses. The collapse of the power grid rapidly threatens the functionality of water treatment plants, hospitals, and financial systems. This cascade effect makes critical infrastructure an extremely attractive target for state-sponsored actors.

    As Ömer Akın, I explain why critical infrastructure constitutes such an attractive target with two fundamental dynamics. First is the maximum psychological impact potential. Disrupting systems that serve a society’s basic needs not only causes material damage; it creates panic, chaos, and distrust in government. This psychological dimension elevates critical infrastructure attacks to a strategic weight comparable to classic military operations. Second is the leverage effect. An infrastructure attack carried out at the right time can serve as a powerful lever to force a rival state to concede in diplomatic negotiations, support a military operation, or escalate economic pressure.

    In our threat intelligence work within QIH, as Ömer Akın we regularly observe the following: Advanced threat actors often initiate their operations against critical infrastructure long before real time. Infiltrating systems, planting persistent access points, and mapping the system; the attack is not launched until this preparation phase is complete. Therefore, the moment an attack begins is not the moment the threat began.

    The Anatomy of State-Sponsored Attacks Targeting Infrastructure

    There are recurring methodological patterns in state-sponsored actors’ attacks targeting critical infrastructure. As Ömer Akın, analyzing these patterns is extremely valuable both for correctly designing defense architecture and for detecting the early stages of the threat.

    The reconnaissance and intelligence phase forms the starting point of all state-sponsored infrastructure attacks. In this phase, the target infrastructure’s technical architecture, operational procedures, employee profiles, and supply chain connections are systematically mapped. Open-source intelligence, social engineering, and network scanning techniques are among the fundamental tools of this mapping process. In critical infrastructure security assessments conducted under the leadership of Ömer Akın within QIH, we observe that most organizations are caught at their weakest point in defending against this reconnaissance phase.

    In the initial access and persistence phase, an entry point into the target system is created and this access is made persistent. Phishing attacks, supply chain manipulation, and exploitation of previously undiscovered zero-day vulnerabilities constitute the main vectors of this phase. Particularly noteworthy is that state-sponsored actors create multiple access points at this stage; when one is detected and closed, others continue their activities.

    In the lateral movement and discovery phase, the attacker moves within the network from the entry point toward target systems. Privilege escalation techniques, credential theft, and internal network discovery constitute the typical activities of this phase. As Ömer Akın, I find this phase particularly critical: Here the attacker often moves undetected within the system for months or years. Since traditional security tools focus on perimeter defense, they can be insufficient to detect the lateral movement of an actor already inside the system.

    In the positioning and waiting phase, the attacker establishes persistent access points in designated critical systems and waits for a strategically appropriate time. This phase is the dimension that most strikingly distinguishes state-sponsored actors’ operations from others. In cases examined by QIH, this waiting period has sometimes reached two to four years. The order to attack is often linked more to a geopolitical decision than a technical one.

    Finally, in the activation and impact phase, the attacker acts. This is the only phase that becomes visible from the outside; whereas the majority of the actual operation has already been completed by the time this point is reached.

    Threats to Energy Infrastructure: The Most Critical Target

    Energy infrastructure historically ranks first among the sectors most intensively targeted by state-sponsored cyber attacks. The reason is clear: Without energy, no function of modern society can be sustained.

    The attacks carried out against Ukraine’s electricity distribution companies in 2015 and 2016 have the distinction of being the first documented successful cyber attacks on a power grid in history. These cases, in which tens of thousands of households were left without electricity for hours, have been the subject of extremely comprehensive analyses from both technical and operational security perspectives. As Ömer Akın and QIH, the most critical lesson we draw from these cases is that operational technology systems — that is, industrial control systems and SCADA software — have much longer update cycles and much more limited security monitoring capacity compared to information technology systems.

    There are other factors that make power grids particularly difficult to defend. These infrastructures were designed decades ago for a completely different threat environment. Today, internet connectivity, remote management tools, and digital sensors are being added to these systems; while this integration provides operational efficiency, it also dramatically expands the attack surface. As Ömer Akın, I call this paradox the security dilemma of digital transformation; digitalization is inevitable, but failing to advance the security architecture in step with this transformation creates a critical vulnerability.

    Threats to Water and Healthcare Infrastructure

    Water and healthcare infrastructure house systems where the physical damage potential of cyber attacks can manifest most directly. In 2021, the infiltration of a water treatment plant’s control system in Florida in an attempt to raise sodium hydroxide concentration to one hundred times the safe level concretely proved that this threat is not speculative.

    Healthcare systems are also a critical infrastructure category targeted by state-sponsored actors for both intelligence and sabotage purposes. Especially during the COVID-19 pandemic, documented examples of attacks against vaccine research organizations and hospitals make this threat extremely real and urgent. As Ömer Akın and QIH, we treat cyber threats to the healthcare sector as a separate area of expertise and provide customized threat assessments to our corporate clients in this sector.

    State-Sponsored Threats to Financial Infrastructure

    The financial system constitutes an extremely attractive target for state-sponsored actors both for sabotage and for revenue generation. The 2016 attack on Bangladesh Bank via the SWIFT payment network, in which approximately eighty-one million dollars was stolen, constitutes one of the best-known examples of state-sponsored operations against financial infrastructure. The North Korea-linked Lazarus Group is associated with this attack; this connection provides a striking example of how cyber operations can simultaneously serve both the geopolitical and economic objectives of a state.

    Following this attack on the SWIFT system, security requirements across the international financial system were significantly strengthened. As Ömer Akın, I frequently share this example in corporate financial security discussions; an attack can trigger not only its direct target but policy and security investment decisions that will transform the entire infrastructure of that sector.

    Defense Architecture for Infrastructure Security: The QIH Approach

    Critical infrastructure security against state-sponsored cyber attacks requires a specialized defense architecture beyond standard corporate cyber security programs. As Ömer Akın, I comprehensively address the approach we have developed in this area within QIH below.

    Network segmentation and air gap strategy is the first fundamental component of this architecture. The physical or logical separation of critical operational technology systems from corporate networks creates the strongest barrier against lateral movement. Full air gap, that is, cutting all digital connections between two networks, provides the highest security; however, operational efficiency and remote management needs often limit this approach in practice. To resolve this tension, security zone architectures supported by unidirectional data diodes and strict access controls stand out as the solutions offering the most effective balance in practice.

    The intelligence-driven defense approach is the second fundamental component that QIH places at the center of its infrastructure security consultancy. As Ömer Akın, I want to state this clearly: An effective defense against state-sponsored actors cannot be built without understanding those actors and their methods. Knowing which threat actors target infrastructure in the same sector or same geography as your organization is key to directing your defense resources to the right points. QIH’s threat intelligence services continuously provide this critical context to our client organizations.

    Approaches specific to operational technology security constitute the third critical component of this defense architecture. Industrial control systems and SCADA software create a special environment where traditional information technology security tools cannot be directly applied. These systems often run on old software that is extremely difficult or impossible to patch, have extremely limited maintenance windows due to long uptimes, and operate with constrained hardware resources that do not allow installation of any security agent. Under these conditions, network-based anomaly detection, passive asset discovery, and protocol-level behavior monitoring stand out as the most applicable security controls.

    Proactive threat hunting capacity is the fourth fundamental component of the infrastructure security architecture. The silence and patience, one of the most distinctive characteristics of state-sponsored actors, means these actors can easily evade traditional alert-based security systems. Therefore, proactive threat hunting programs, where analysts actively search for threat indicators rather than waiting for automated alerts, are critically important. As Ömer Akın and QIH, we support our client organizations both in developing this capacity internally and in using it via an external service model.

    Incident response and business continuity planning constitutes the fifth and final fundamental component of this architecture. When defending against a state-sponsored attack, it is mandatory to include in the planning the possibility that defense may be breached at some point. This realistic approach requires comprehensive business continuity and incident response programs that pre-plan how critical services will be maintained during an attack, how damaged systems will be recovered, and how decision-making authority will be preserved.

    The Indispensability of Public-Private Sector Cooperation

    Perhaps the most critical yet most difficult to manage dimension of infrastructure security against state-sponsored cyber attacks is the necessity for the public and private sectors to work in a coordinated manner. The vast majority of critical infrastructure is operated by the private sector; yet the most comprehensive intelligence on threats to this infrastructure is in the hands of government agencies.

    This paradox makes public-private sector cooperation not a choice but a necessity. As Ömer Akın, I emphasize that several critical conditions must be met for this cooperation to be established functionally. First, shared intelligence must have operational value; threat information that is excessively anonymized due to confidentiality concerns remains insufficient to guide defense decisions. Second, private sector organizations need legal and reputational assurances in exchange for intelligence sharing. Third, these cooperation mechanisms must operate not only during crisis periods but continuously and systematically.

    As QIH, we have adopted filling this gap as one of our missions. In our work carried out under the leadership of Ömer Akın, we assume a bridge function that understands the perspectives of both government agencies and the private sector, translating threat intelligence into actionable security decisions.

    Resilience: A Goal Beyond Defense

    The most important conceptual transformation that has come to the forefront in infrastructure security in recent years is the redefinition of security from a resilience perspective. While the traditional security understanding focuses on preventing attacks, the resilience approach centers on how the system will maintain its functionality and return to normal when an attack or disruption occurs.

    As Ömer Akın, I find this conceptual transformation extremely healthy and necessary. Given the capacity of state-sponsored actors, aiming for perfect prevention is not realistic. Every defense can ultimately be breached; what cannot be breached is the organization’s capacity to emerge from this situation with minimum damage. Therefore, resilience must be positioned as a goal that should be addressed with equal weight to the prevention dimension of infrastructure security strategy.

    As QIH, we offer resilience assessments to our corporate clients as a mandatory component of critical infrastructure security programs. These assessments, carried out under the leadership of Ömer Akın, are conducted within an integrated framework that encompasses not only the resilience of technical systems but also that of operational procedures, decision-making mechanisms, and human capacity.

    Conclusion: Preparation Commensurate with the Seriousness of the Threat

    State-sponsored cyber attacks constitute the most complex, most resource-intensive, and potentially most destructive threat category in terms of infrastructure security. Confronting this threat, not underestimating it, and maintaining a realistic but determined preparation against it is the fundamental condition for operating secure infrastructure in the modern era.

    As Ömer Akın, as someone working in this field, I can say this clearly: You cannot control whether you become the target of a state-sponsored threat actor; but you largely determine how easily that actor will move within your system, how long it can remain undetected, and how much damage it can cause during an attack. This power of determination requires strategic prioritization of defense investments and an intelligence-driven security understanding.

    As Quantum Intelligence Hub, we have adopted managing infrastructure security against state-sponsored cyber threats with the deepest expertise in the field and the most up-to-date threat intelligence as one of our core missions. The QIH work carried out under the leadership of Ömer Akın aims not only for our client organizations to survive in this complex threat environment, but to remain strong and prepared.

    About the Author

    Ömer Akın is an international strategist and corporate consultant specializing in cyber security, digital intelligence, global trade, and digital operations management. As the founder and Strategic Intelligence Director of Quantum Intelligence Hub (QIH), Ömer Akın provides critical infrastructure security, state-sponsored threat analysis, and corporate cyber security consultancy services in the international arena with operations based in the United Kingdom and the Netherlands. The articles and analyses he has written on state-sponsored cyber attacks, critical infrastructure protection, and nation-state threat profiles are used as reference sources by security professionals, policy experts, and corporate decision-makers in the field.

    For more information and corporate consultancy:
    qihhub.com | qihnetwork.com | omerakin.nl

    Ömer Akın
    Founder and Strategic Intelligence Director
    Quantum Intelligence Hub Ltd (QIH)
    qihhub.com | qihnetwork.com | qihhub.info

  • How Cyber Attacks Are Reshaping Global Security Policies

    How Cyber Attacks Are Reshaping Global Security Policies

    How Cyber Attacks Are Reshaping Global Security Policies

    Article No: 3499
    Category: Cyber Security
    Author: Ömer Akın | Founder and Strategic Intelligence Director, Quantum Intelligence Hub (QIH)

    Politics is often shaped in the shadow of crisis. The widespread adoption of traffic lights was born from traffic accidents starting to claim lives, the tightening of pharmaceutical safety regulations from major drug disasters shaking public opinion, and the systematization of flight safety protocols from decades of lessons forged by plane crashes. Global cyber security policies do not operate with a different dynamic. Every major cyber attack has confronted states, institutions, and international organizations with the inadequacy of their existing policies and has triggered new regulatory moves.

    As Ömer Akın, I have observed this cycle many times throughout my work in the fields of cyber security and digital intelligence. An attack occurs, its scale and consequences are reflected in public opinion, policymakers take action, and a new regulatory framework is built. Then threat actors evolve and develop a new method, and the cycle begins again. As Quantum Intelligence Hub (QIH), we not only monitor this cycle but proactively prepare our corporate clients for both legal changes and the evolving threat landscape.

    In this article, I will address how cyber attacks are transforming global security policies through concrete examples, historical contexts, and policy analysis. Understanding the dynamics of this transformation is critically important not only for security experts but for every institution and decision-maker developing strategy.

    The Policy-Threat Gap Problem

    One of the fundamental paradoxes shaping cyber security policies is the inevitable lag between threats and policy responses. Threat actors always move more nimbly; new tools, new methods, and new targets come into play. Policymakers, on the other hand, must struggle with a heavy structure stemming from democratic legitimacy processes, bureaucratic coordination, and lack of technical expertise to adapt to this change.

    As Ömer Akın, I summarize this lag most strikingly with the following observation: A significant portion of the cyber security regulations in force today were designed not based on today’s threats, but on the threat profiles of five to ten years ago. This means that policies can be partially outdated even at the moment they are implemented. At QIH, we bring this reality to our corporate clients’ agenda at every opportunity; legal compliance is not sufficient for security; current regulations may lag behind the real threat environment.

    Several critical mechanisms stand out to overcome this lag problem. First is the principle-based design of regulatory frameworks; regulations focusing not on specific technologies but on fundamental security principles adapt better to technological change. Second is the systematization of information flow between policymakers and security experts. Third is that regulatory frameworks incorporate cyclical update mechanisms.

    The Transformative Impact of Major Cyber Attacks on Policy

    Analyzing the major cyber attacks that determine the course of global security policies and the policy transformations they triggered is extremely illuminating for understanding how cyber attacks operate the policy mechanism.

    The coordinated cyber attacks against Estonia in 2007 created a turning point in NATO’s cyber defense policies. The targeting of a NATO member’s digital infrastructure concretely brought to its agenda the question of whether the alliance should consider cyber attacks within the scope of legitimate self-defense. As a direct product of this discussion, the NATO Cooperative Cyber Defence Centre of Excellence established in Tallinn in 2008 assumed a key role in building international cyber security norms. As Ömer Akın, I find this development particularly important: A cyber attack became the trigger for the restructuring of the international security architecture. This is very concrete proof that cyber attacks produce not only technical but strategic and institutional consequences.

    The Stuxnet case in 2010 created its policy impact on a very different dimension. The emergence of this malware indisputably proved that states actively develop and use cyber weapons and brought to the forefront the question of how cyber weapons would be classified under international law. The subsequent years of UN Group of Governmental Experts work and intensified academic and diplomatic efforts regarding international legal norms applicable to cyberspace largely follow the questions opened by Stuxnet. As Ömer Akın, who regularly monitors these normative developments within QIH, I would like to emphasize that the construction of the international cyber legal framework is still in its infancy and that this gap has serious consequences for corporate risks.

    The documents leaked by Edward Snowden in 2013 revealed global surveillance capacities and deeply shook both national and international policy agendas. The legal basis of data-sharing agreements between the European Union and the US was questioned, significant momentum was given to the preparation process of the GDPR, and many countries began to review their national encryption and data localization policies. As Ömer Akın and QIH, we evaluate the GDPR and similar regulations that came into force after this process not merely as compliance documents, but as products of translating the issue of data sovereignty into policy language.

    The 2016 US election interference operation added a completely new dimension to cyber security policies: election security and the protection of democratic institutions. Following this operation, many democratic countries increased their security investments in election infrastructure, elevated election security to a priority heading in national cyber security strategies, and anti-disinformation regulations for social media platforms came onto the agenda. As Ömer Akın, the most striking point I find in this transformation is this: The impact of cyber attacks on policy has now entered the agenda of a much broader policy ecosystem, extending not only from security ministries but to election institutions and media regulators.

    The SolarWinds supply chain attack in 2020 ignited a comprehensive policy transformation regarding software supply chain security in the US. Presidential executive orders, mandatory cyber security standards, and new security requirements for software suppliers working with federal agencies constitute the direct policy reflections of this attack. At QIH, we convey these policy changes to both our US-based and Europe-based clients along with their implications; because global supply chain integration carries the impact of these regulations to a much wider geography.

    The Colonial Pipeline attack in 2021 accelerated concrete steps in critical infrastructure security policies. In the US, a cyber incident reporting obligation was introduced for critical infrastructure operators, the implementation of sector-specific security standards was tightened, and information-sharing mechanisms between critical infrastructure owners and federal agencies were strengthened. As Ömer Akın, the critical lesson I draw from this example is this: A cyber attack is the most effective catalyst for creating the political will needed for policy change. However, this approach creates a reactive policy cycle and poses a serious obstacle to proactive regulation.

    The European Union’s Cyber Security Policy Transformation

    The European Union stands out as the bloc building the most systematic and comprehensive regulatory framework in the global cyber security policy arena. Tracing this transformation is extremely valuable for concretizing how cyber attacks operate the policy mechanism through the EU example.

    The first important step in the EU’s cyber security policy evolution is the Network and Information Systems Directive, which entered into force in 2016. This directive, which introduced minimum security requirements and incident notification obligations for operators of critical infrastructure and digital service providers, formed the first legal basis for EU-wide cyber security harmonization.

    Subsequently, the GDPR, beyond being a technical cyber security regulation, created a deep intersection with cyber security policy as a framework that radically transformed the understanding of data protection. Mandatory notification of personal data breaches, data minimization principles, and heavy sanction mechanisms showed how decisive regulatory pressure can be in changing institutions’ perspectives on data security.

    The NIS2 directive, which entered into force in 2023, represents the EU’s most comprehensive policy update in this area. Significantly expanding its scope in terms of both sectors and organization size, NIS2 explicitly holds management boards accountable for cyber security responsibility and systematically addresses supply chain security. As Ömer Akın, with our operations based in both the UK and the Netherlands, we closely follow the practical implementations of this directive and support QIH clients in their compliance processes.

    The European Union’s Cyber Resilience Act represents a yet-to-be-finalized but extremely important policy step. Aiming to introduce mandatory cyber security requirements for connected devices and software products, this law is a reflection of a new policy paradigm that ties product security to the manufacturer’s responsibility.

    The United States’ Cyber Security Policy Transformation

    The US cyber security policy architecture is built not on a central regulatory framework but on sector-specific standards, voluntary frameworks, and presidential executive orders. This approach produces both flexibility and inconsistency.

    The 2013 Executive Order on Improving Critical Infrastructure Cybersecurity and the subsequent NIST Cybersecurity Framework constituted an important example of using voluntary standards as a policy tool. As Ömer Akın, I find the NIST framework particularly valuable; we regularly refer to it in QIH consultancy processes as one of the fundamental reference points for assessing corporate security maturity and determining improvement priorities.

    The 2021 executive order by the Biden administration on improving the nation’s cybersecurity represents one of the most comprehensive updates to US cyber security policy. Software supply chain security, transition to zero trust architecture, cloud security standards, and strengthening security information sharing among federal agencies constitute the prominent headings of this order. It is known that the Colonial Pipeline and SolarWinds attacks directly accelerated this order. As Ömer Akın and QIH, we address these policy changes with their international dimensions and support our clients with transatlantic operations in managing both EU and US regulations in a coordinated manner.

    Cyber Security Policy Transformation in the Asia-Pacific Region

    To complete the global cyber security policy map, it is necessary to also address the dynamics of the Asia-Pacific region. This region hosts both the most advanced cyber attack capacities and the widest diversity in terms of cyber security policy approaches.

    Japan has undergone a radical transformation in its cyber security policy in recent years. Japan’s cyber security doctrine, which for a long time focused only on defense, is expanding to include the development of active cyber defense capacity under increasing threat pressure. Singapore, despite being a small state, has become a regional reference point in this field with a highly comprehensive and continuously updated national cyber security strategy.

    China’s cyber security policy represents both one of the most comprehensive regulatory frameworks and the most controversial positioning. This framework, consisting of the Data Security Law, Personal Information Protection Law, and Cybersecurity Law, has dramatically changed the obligations of foreign companies regarding data management in China. As Ömer Akın, I emphasize that institutions operating in or integrated with the Chinese market must meticulously analyze this regulatory framework; QIH offers special assessments to our corporate clients on this matter.

    The Evolution of the International Normative Framework

    When evaluating the transformation in global security policies, it is necessary to separately focus on how the normative framework at the international law level has evolved. International norms, bilateral agreements, and multilateral documents in cyberspace, while not yet having achieved a unified international legal framework, are making important strides.

    The Tallinn Manual, prepared by legal experts within NATO, is the most comprehensive academic reference addressing how international law applies to cyber operations. Although non-binding, this document, which is referred to by states and courts, plays a critical function in the development of cyber warfare law.

    The UN Group of Governmental Experts work constitutes the main multilateral platform where states try to build consensus on norms of responsible state behavior in cyberspace. Although this work progresses slowly, it serves an important function in building the international cyber security normative framework. As Ömer Akın and QIH, we regularly evaluate the long-term impacts of these normative developments on corporate security policies and integrate these assessments into our clients’ strategic planning processes.

    The Growing Influence of the Private Sector on Policy Processes

    An important trend that has stood out especially in recent years in shaping global cyber security policies is the increasing influence of large technology companies and cyber security firms on policy processes. This influence flows through two channels.

    First is the transfer of technical expertise. The vast majority of governments do not possess the technical expertise needed to correctly assess the cyber threat environment and design effective regulations. To fill this gap, consultancy is obtained from private sector experts, consultation mechanisms are established with industry organizations, and public-private cooperation platforms are implemented. As Ömer Akın, I find the role QIH assumes in these processes extremely valuable and consider sharing our corporate knowledge base to contribute to policy discussions an important responsibility.

    Second is the operational role in incident response. In the aftermath of major cyber attacks, private cyber security companies assume critical roles in investigation, attribution, and damage assessment processes. The findings of these companies often provide direct input to both technical reports and policy decisions.

    Risks Created by Global Policy Misalignment

    When evaluating the transformation of global cyber security policies, the risks created by this transformation occurring in an uncoordinated manner should not be overlooked. Different countries adopting different approaches creates both operational difficulties and security gaps.

    Regulatory fragmentation creates a serious compliance burden for companies operating in multiple countries. As Ömer Akın, I personally experience this through QIH, which has corporate structures in both the UK and the Netherlands; EU regulations, the UK’s post-Brexit orientation, and the requirements of other jurisdictions where our clients operate require us to manage a highly complex compliance matrix. Solving this complexity constitutes one of the core value propositions QIH offers to its corporate clients.

    Gaps in threat intelligence sharing constitute another critical risk of global policy misalignment. While threat actors move across national borders, the information sharing defenders need to monitor this mobility and take countermeasures encounters political and legal obstacles.

    How Organizations Adapt to the Changing Policy Environment

    This rapid transformation of global security policies creates both risk and opportunity for institutions. As Ömer Akın, the approach I recommend to QIH’s client institutions for managing this transformation I address through five fundamental principles.

    First is regulatory foresight. Not only complying with current regulations but also identifying upcoming changes in advance and starting preparation processes today significantly reduces compliance costs. QIH offers this regulatory foresight service to its clients. Second is turning policy changes into security improvement opportunities. Regulatory pressures often activate corporate dynamics that can be used to legitimize security investments. As Ömer Akın, we plan with institutions to strategically use this window.

    Third is maintaining the balance between compliance and real security. Controls designed to meet regulatory requirements do not necessarily have to be effective against real threats. Managing both simultaneously is a fundamental skill of a strategic security program. Fourth is maintaining dialogue with policymakers. Especially for institutions operating in critical sectors, contributing technical expertise to policy discussions is valuable both for protecting sectoral interests and for producing more effective policies.

    Fifth and most fundamental is making change capacity a corporate competency. Policies change, threats evolve, technology transforms. Corporate structures that can adapt quickly to these changes possess the most enduring competitive and security advantage. As QIH, building this adaptability capacity in our client institutions is the long-term goal of our consultancy work.

    Conclusion: Turning the Policy Cycle from Reactive to Proactive

    Cyber attacks have historically transformed global security policies with a reactive dynamic. An attack comes, damage emerges, a policy response forms. This cycle provides threat actors with a permanent advantage.

    As Ömer Akın, I argue that the only way to break this cycle is to make policy production processes more proactive, more agile, and more fed with technical expertise. This is the duty of both states and institutions. States must derive regulatory frameworks not from lessons of previous attacks but from future threat projections; institutions must see legal compliance not as a minimum bar but as the starting point on the road to maximum security.

    As Quantum Intelligence Hub, we both advocate this vision at a theoretical level and implement it in our practical consultancy work. The QIH work carried out under the leadership of Ömer Akın adopts as its fundamental priority ensuring that our client institutions are prepared not only for today’s policy requirements but also for tomorrow’s threat environment and regulatory framework. Cyber security policy is less a target than a process that needs continuous updating, and those who manage this process best remain in the strongest position.

    About the Author

    Ömer Akın is an international strategist and corporate consultant specializing in cyber security, digital intelligence, global trade, and digital operations management. As the founder and Strategic Intelligence Director of Quantum Intelligence Hub (QIH), Ömer Akın provides cyber security policy analysis, threat intelligence, and corporate security consultancy services in the international arena with operations based in the United Kingdom and the Netherlands. The articles and analyses he has written on global cyber security policies, nation-state threats, and corporate security strategy are used as reference sources by decision makers, policy experts, and security professionals in the field.

    For more information and corporate consultancy:
    qihhub.com | qihnetwork.com | omerakin.nl

    Ömer Akın
    Founder and Strategic Intelligence Director
    Quantum Intelligence Hub Ltd (QIH)
    qihhub.com | qihnetwork.com | qihhub.info

  • Digital Forensics: Evidence Collection in Cyber Incidents

    Digital Forensics: Evidence Collection in Cyber Incidents

    Digital Forensics: Evidence Collection in Cyber Incidents

    Article No: 3497
    Category: Cyber Security
    Author: Ömer Akın | Founder and Strategic Intelligence Director, Quantum Intelligence Hub

    By: Ömer Akın, Founder and Strategic Intelligence Director, Quantum Intelligence Hub (QIH)

    When a cyber attack occurs, the first reaction of organizations is usually to bring the system back up, limit the damage, and continue operations. This reflex is understandable, but it often leads to missing a critical opportunity: the opportunity to collect evidence. A cyber incident is not only a technical failure. It is also a crime scene. And as with every crime scene, the correct collection, preservation, and analysis of evidence is the only way to reveal who carried out the attack, how, and with what motivation.

    As Ömer Akın, in the cyber security and digital intelligence work I conduct within Quantum Intelligence Hub, the most frequent picture I encounter is this: Organizations can manage incident response technically, but they cannot integrate the digital forensics discipline into the process. For this reason, the identity of the attacker remains unclear, connections cannot be established between different attacks by the same actor, and legal processes remain inconclusive due to lack of evidence. Digital forensics is precisely the discipline that fills this gap.

    In this article, I will address the concept of digital forensics from scratch, explain comprehensively how evidence collection processes in cyber incidents should be structured, which methodologies stand out, and what kind of capacity organizations should build in this area.

    What Is Digital Forensics and Why Is It Critically Important

    Digital forensics is the process of collecting, preserving, analyzing, and reporting data found on digital devices and networks in a legally valid manner. This discipline, also known as forensic informatics, lies at the intersection of cyber security and law.

    As Ömer Akın, when I explain this definition to corporate executives, I particularly emphasize this distinction: Cyber security analysis focuses on stopping the attack. Digital forensics focuses on understanding and proving the attack. The first is operational, the second produces both operational and legal value.

    Why is digital forensics critical? Because in the modern cyber threat environment, it is no longer possible to defend without recognizing the attacker. The same threat actor can target different organizations for months. The evidence collected reveals this actor’s tactics, techniques, and procedures. This information not only solves that incident, it also makes it possible to anticipate future attacks.

    In addition, regulatory frameworks require organizations to report cyber incidents with a certain integrity of evidence. The European Union’s NIS2 directive, the regulations of the Personal Data Protection Authority in Türkiye, and sectoral standards clearly define post-incident evidence collection and retention obligations. As Ömer Akın, I observe that these obligations make it mandatory for organizations to proactively develop their forensic capacity.

    The Digital Forensics Process: Step-by-Step Evidence Collection

    An effective digital forensics process is much more than randomly collecting data. Internationally accepted methodologies address this process in four main phases.

    The first phase is preparation. The capacity to collect evidence must be ready before a cyber incident occurs. This includes procuring forensic tools, defining evidence storage procedures, and training the incident response team with forensic awareness. As Ömer Akın, the area I see most lacking in Quantum Intelligence Hub consultancy processes is exactly here: Organizations start thinking forensically after the incident occurs. Yet evidence collection is planned before the incident, not at the moment of the incident.

    The second phase is identification and collection of evidence. Which systems will be imaged, which log records will be preserved, and which network traffic will be recorded is determined at this stage. The critical point is this: Evidence collection must be performed without compromising the integrity of the evidence. Even when pulling data from live systems, no write operation should be performed, and if possible, work should be done in read-only mode.

    The third phase is preservation of evidence and chain of custody tracking. For each piece of evidence collected, by whom, when, with which method it was collected, where it is stored, and who accessed it must be documented completely. This chain of custody record is the basis of the legal validity of the evidence. If there is a break in the chain, even the strongest technical finding can lose its value in court.

    The fourth phase is analysis and reporting. The collected evidence is analyzed to create a timeline, map the attacker’s movements, and determine the root cause of the incident. As a result of this analysis, two different reports are prepared, one for technical teams and one for senior management. While the technical report details how the incident occurred, the executive summary reveals the business impact and the measures that need to be taken.

    Types of Evidence in Cyber Incidents

    Evidence collected in digital forensics work is divided into different categories according to its source. As Ömer Akın, when I explain these categories to organizations, I emphasize that each tells a different story.

    Disk images are an exact copy of a system and offer the possibility of in-depth analysis, including deleted files. Memory dumps can reveal running processes, open network connections, and unencrypted passwords. Log records answer the question of who accessed which system and when. Network traffic records show the size and target of data exfiltration.

    Mobile device evidence is becoming increasingly critical. Employees accessing corporate data via mobile devices makes it mandatory to include these devices in the forensic scope. In the forensic work carried out within Quantum Intelligence Hub, I have observed many times that mobile evidence often illuminates the initial entry point of the attack.

    Cloud environment evidence requires separate expertise. The cloud provider’s log records, access keys, and virtual machine snapshots do not exactly overlap with traditional forensic methods. As Ömer Akın, I think cloud forensic capacity is one of the weakest links of modern organizations.

    Common Mistakes in Evidence Collection

    As someone who has been responding to cyber incidents for years, I can clearly see the recurring mistakes in evidence collection processes. These mistakes both reduce the value of technical findings and make legal processes impossible.

    The most common mistake is rushing to restart or clean the system. When an attack is detected, the first reflex is to shut down the system and perform a clean installation. This operation completely destroys volatile evidence in memory. As Ömer Akın, I always tell organizations: Collect evidence first, then clean. Operational continuity is important, but evidence loss is irreversible.

    The second common mistake is failing to preserve evidence integrity. If a hash value is not taken when evidence is collected, it cannot be proven that the evidence was not altered later. This eliminates legal validity.

    The third mistake is not keeping a chain of custody record. Who collected the evidence, where was it stored, who accessed it? When the answers to these questions are not documented, the evidence is rejected in court.

    The fourth mistake is allowing unauthorized persons to access evidence. Even a curious system administrator examining evidence can make the integrity of the evidence questionable. For this reason, at Quantum Intelligence Hub we strictly apply role separation and access control in evidence collection processes.

    Forensic Tools and Technologies

    Modern digital forensics cannot be carried out without specialized tools. As Ömer Akın, I adopt an approach that varies according to the needs and maturity level of organizations in tool selection.

    Open source tools offer a strong entry point for organizations at the beginner level. Tools such as Autopsy, Sleuth Kit, Volatility, and Wireshark are widely used for disk analysis, memory analysis, and network analysis. These tools are free but require expertise.

    Corporate forensic platforms offer a more integrated capacity. Solutions such as EnCase, FTK, and X-Ways Forensics combine evidence collection, analysis, and reporting processes in a single interface. These platforms are preferred especially for collecting evidence to be used in legal processes.

    Cloud forensic tools form a separate category. AWS, Azure, and Google Cloud’s own forensic toolsets enable the collection of evidence in the cloud environment. As Ömer Akın, I emphasize that the correct configuration of these tools is the most critical step in preventing evidence loss in cloud-based attacks.

    AI-supported forensic tools are the most remarkable development of recent years. Anomaly detection from large data sets, timeline creation, and attacker behavior pattern recognition are accelerated by machine learning. At Quantum Intelligence Hub, we position these tools not to replace the human analyst, but as a layer that empowers the analyst.

    Legal Dimension: Admissibility of Evidence in Court

    One of the ultimate goals of digital forensics work is for the collected evidence to be usable in legal processes. This requires much more than technical accuracy.

    The Turkish Code of Criminal Procedure and the Law on Protection of Personal Data stipulate certain procedures for the collection and use of digital evidence. It is mandatory for the evidence to be obtained by lawful methods, for the integrity of the evidence to be preserved, and for it to be supported by an expert report for the evidence to be admissible.

    As Ömer Akın, I give organizations this warning: Not every technically correct piece of evidence is legally valid. Involving a legal advisor in the evidence collection process at an early stage prevents procedural rejection that may occur later.

    In addition, cross-border evidence collection creates separate legal complexity. The physical location of data in a different country in the cloud environment brings that country’s data sovereignty rules into play. For this reason, organizations operating internationally need to design their evidence collection policies in accordance with multiple jurisdictions.

    Integration of Digital Forensics and Threat Intelligence

    Digital forensics alone explains how an incident occurred. Threat intelligence shows whether this incident is part of a larger picture. As Ömer Akın, I think the integration of these two disciplines is the element that makes a real difference in cyber incident management.

    When evidence collected in a cyber incident is matched with the MITRE ATT&CK framework, the tactics and techniques used by the attacker become clear. When these techniques are compared with the profiles of known threat actors, they provide strong clues about the actor behind the attack. This attribution directly affects both the defense strategy and the legal process.

    In the work carried out within Quantum Intelligence Hub, we have seen many times that enriching forensic findings with threat intelligence plays a critical role in linking attacks by the same actor in different organizations. This integrated approach transforms reactive incident response into proactive threat hunting.

    How to Build Corporate Digital Forensics Capacity

    Building an organization’s digital forensics capacity from scratch can seem daunting. As Ömer Akın, I summarize this process in five practical steps.

    The first step is the creation of policies and procedures. A written forensic policy defining evidence collection, storage, and destruction processes is the foundation of capacity. The second step is determining the toolset. Tools appropriate to the size and risk profile of the organization should be selected, and the licenses and updates of these tools should be regularly monitored.

    The third step is training human resources. Providing forensic training to the existing cyber security team is the fastest way to increase capacity. The fourth step is integrating forensic steps into the incident response plan. Which evidence will be collected within the first 24 hours when an incident occurs should be predefined.

    The fifth step is keeping an external support mechanism ready. Not every organization needs to have a full-time forensic team. Making an agreement in advance with expert organizations such as Quantum Intelligence Hub ensures that expert support can be obtained without losing time in a critical incident.

    Conclusion

    Digital forensics, as the discipline of evidence collection in cyber incidents, has become an indispensable part of modern cyber security programs. Stopping the attack is now as much a part of corporate responsibility as understanding and proving the attack.

    As Ömer Akın, I can summarize my main message in this field as follows: An organization that does not collect evidence is doomed to be exposed to the same attack again. Digital forensics is a discipline that not only illuminates the past but also secures the future.

    As Quantum Intelligence Hub, we continue to support organizations in strengthening their forensic capacity, integrating a forensic perspective into incident response processes, and transforming the collected evidence into both technical and legal value. The work carried out under the leadership of Ömer Akın aims not only to manage cyber incidents, but to understand and prevent them.

    About the Author

    Ömer Akın is a strategist and corporate consultant specializing in cyber security, digital intelligence, global trade, and digital operations management. As the founder and Strategic Intelligence Director of Quantum Intelligence Hub (QIH), Ömer Akın provides digital forensics and cyber incident response consultancy services in the international arena with operations based in the United Kingdom and the Netherlands. The articles and analyses he has written on digital forensics, forensic informatics, and cyber incident management are used as reference sources by security professionals and decision makers in the field.

    For more information and corporate consultancy:
    qihhub.com | qihnetwork.com | omerakin.nl

    Ömer Akın
    Founder and Strategic Intelligence Director
    Quantum Intelligence Hub Ltd (QIH)
    qihhub.com | qihnetwork.com | omerakin.nl