Technology and interconnected systems, which continue to become indispensable in every area of ​​our lives, have caused a new concept to emerge in human history. Concepts that are used with the prefix cyber are used to express the technological field, especially the field formed by structures connected to each other through networks like the internet. Some examples of these are cyberspace, cyber attack, and cyber threat.

This new concept that has emerged (cyber) has a different dimension as if it were outside of normal life as well as inside life. It is possible to witness the aspects of a person that we know very well in normal life, that we do not know at all or that do not appear, while acting in a cyber environment.

All these concepts and behavioral styles create new research areas for science.

In this article, we will first define cyberspace. With this definition, we will try to reveal the actors of cyberspace. Since the subject has many different dimensions, we will only talk about actors here. We plan to include economic, psychological and behavioral issues in our other articles.

Definition of Cyberspace

The Ministry of Transport, Maritime Affairs and Communications recently published the 2016-2019National Cyber ​​Security Strategy document. The Strategy Document includes the identified and strategically envisaged developments. This document defines “Cyberspace : A digital environment consisting of information systems spread all over the world and space and the networks that connect them or independent information systems.”

In order to analyze this entire Cyberspace, it does not seem possible for us to proceed without revealing the actors in it. It is an absolute necessity to know the players in the game in order to identify our own weaknesses and strengths. So let’s categorize the actors of this environment.

Categories of Actors

Government Supported Structures:

These actors have the ability to establish and operate complex infrastructures that are financed by taking into account the national interests of the countries. They usually have political, economic, technical or military motivations.

The attacks they carry out are not random, but are aimed at specially selected targets. Today, we can consider the systems and structures that relatively advanced countries in the cyber field have prepared, developed and kept ready for use in order to use them as force multipliers in a fight, to be included in this group.

Organized Crime Structures:

These structures have the opportunity to carry out mass attacks temporarily and within a certain time limit in order to gain significant benefits. Their aim in their attacks is to obtain personal information. They aim to obtain and market valuable information such as social security numbers, credit card information and account numbers.

Hacktivists:

They are formations that come into being to spread the propaganda of certain political thoughts and ideas. They make their own propaganda by attacking the ideas or systems they oppose. They aim to announce and continue their existence by taking advantage of the sensational agenda that emerges. They follow the path of defending their righteousness with the statements they make.

Internal Threats:

Such actors usually consist of former employees or those who have been laid off. They intend to take revenge or gain a certain amount of profit. In line with these aims, they may also cooperate with rival companies.

Opportunists:

This group of actors, defined as ScriptKiddies in the literature, aim to gain benefits by discovering the vulnerabilities and vulnerabilities of the systems. While they can be professional hackers, they can have a variety of profiles, from those who have learned a few techniques and are looking for excitement.

They may strive to prove themselves in order to become a member of a large structure. If they are professional hackers, they investigate systems with the intention of joining a larger group of actors.

Users with Internal Error:

Systems may become vulnerable to outsiders as a result of some mistakes made in system settings by employees who do not know exactly what they are doing. Those who lack such education are included in this group.

We can add users who lack security awareness, those who unknowingly introduce danger by clicking on any incoming mail, to the internal users who make mistakes.

Stages Followed by Actors

Discovery:

At this stage, attackers try to gather as much information as possible about the target. They try to learn the structure of the system and understand what reaction is given in which situation. They try to detect devices with weaknesses by using system scanning methods.

They use a number of techniques to obtain information about the target company and structure from social media and open sources. They also conduct discovery and scanning on third parties with whom the target has business relationships.

Preparation:

In the preparation phase, target-oriented program preparation and coding methods are used in light of the information obtained as a result of the discovery. The necessary techniques are developed to avoid detection. Actors with sufficient financial support usually prefer to use the vulnerabilities referred to as Zero-Day, not the vulnerabilities that everyone knows. They can conduct their own studies to discover these vulnerabilities, or they can use the purchasing method.

Actors with limited financial means prefer to use written programs that can be purchased by everyone. This type of malware is relatively cheaper. In all cases, these malware are structures designed to bypass firewall-like systems that protect systems.

Delivery:

At this stage, the softwareobtained during the preparation phaseis intended to be infected with the target system. For this, the method with the highest probability of success should be chosen. To find this method, experiments are usually carried out supported by social engineering techniques. All it takes to get infected is to click on a link. Although firewall-like measures that protect the target system prevent entry from outside, they are insufficient to control exits from within the system.

The link placed in the message that arrives in an employee’s mailbox is designed with all the credibility to be clicked. All vulnerabilities related to the sender’s source, subject and human curiosity can be exploited.

If this technique does not work, malicious software is tried to be delivered to the target through websites and advertisements. In all cases and conditions, user training is too important to be ignored.

Exploitation:

If the delivery phase is successful, the first priority of the malware is to try to continue to exist in the system without being noticed. For this, it is necessary to bypass the security mechanisms of theoperatingsystem and ensure persistence in the system.

While they can be hidden inside web browser plug-ins subject to the permission of the system user, they can also be hidden inside non-executable document and image type data files. Advanced Persistent Thread (APT) software, which we have heard frequently lately, are examples of this type of code that are most difficult to detect.

Command Control:

The program that is located in the system and hidden without being noticed, connects to the main central server when it finds a suitable time and tries to download software with wider capabilities. It carries out the communication it uses for this process over the protocols allowed by the system it is in. It sends the requests through methods such as HTTPS, DNS or TOR that every system accepts. Since these protocols also use secure certificates today, it has become difficult to discover malicious software.

Internal Discovery:

When other softwarepieces downloaded by establishing command control connection and communicationare included in the system, detailed discovery and user information is attempted to be obtained. It is attempted to reach other servers and members connected to the network of the system in which it is located. All this obtained data is again hidden behind secure protocols and transmitted to the Command Control server.

Continuity:

Once sufficient information is obtained and the internal structure is revealed, full permanence in the system will be tried to be achieved. For this purpose, bootkit software that can run unnoticed at the start of the system, even if the system is turned off and on, is placed in the MBR section. Another method is to gain access to the system at all times by adding the most authorized user to the databases that perform user control.

This article, which explains who the actors in the environment referred to as Cyberspace could be and the stages that are implemented approximately, has become sufficient as a start. Each of the titles mentioned above opens the door to issues that need to be examined in detail and worked on. We will try to explain these issues in the coming days. You can share your opinions and suggestions with us.