Cybersecurity meets Intelligence – a journey in vain?


One year ago, I entered a world that was all at once: strangely familiar and quite foreign to me – the world of cybersecurity.

Familiar to me were the people: easy-going, enthusiastic, highly professional, at times reserved, and consistently humble. Familiar because I spent part of my youth in clans and guilds of various PC games. Familiar also because one of my brothers works in IT. So I liked the people there from the start and enjoyed having conversations where „lol“ was a normal part of the active vocabulary.

What was foreign to me was what exactly these people did. That changed only very slowly, even despite efforts to explain it. I came to Flensburg to the DGC with a mission: I wanted to make the methods and procedures of my world (intelligence) fruitful for the world of information and cyber security. I had two weeks to do this. It was a unique opportunity, which I only had because the founder of DGC was so open to my ideas. So from my point of view, it was clear: At the end of these two weeks, I had to have worked out the basic outlines of a training design.

But it was so difficult for me to understand what was being done there in concrete terms, that at the end of the first week I said to my wife on the phone that the project would probably end with me not achieving my goal. Because not only did I not really understand what the professionals at DGC were doing – the people there didn’t really understand what I was actually doing either. So what is intelligence, anyway? What does intelligence analysis mean? What are structured analytic techniques for? (// By the way, explaining this is a very basic challenge when I am asked in Germany what I actually do for a living 😉 )

But in the second week, momentum started to come into the project. I saw parallels to what I already knew from my field of activity. Just like analysts, red teamers struggle with the challenge that knowledge sometimes only has a short half-life. For example, how certain security gaps can be exploited before they are eventually closed. This is a problem that becomes virulent when new personnel need to be qualified. So how can a large number of personnel be quickly brought up to a common level of knowledge? This is a challenge for which checklists, for example, can be helpful. Or the challenge of transferring past experience of attack scenarios to current customers, even though only one or two analogies suggest this, but without a full assessment of the situation having been carried out. This is a challenge that can be addressed in the intelligence domain by setting up and testing broad sets of hypothesis.

In the Blue Team area, the parallels to what I did in Military Intelligence were even more pronounced. It involves questions like: Who is our (potential) adversary? What are his intentions? What capabilities and means does he have? How can we or our customers protect ourselves effectively and efficiently against these threats? All these are questions that every S2, J2 or G2 has probably asked himself a thousand times. The procedures that have been established, the Structured Analytic Techniques (SATs) that are used, can be transferred 1 to 1. Only the terrain is different. It knows no borders, no times, no weather and often no exact opponent. And it is precisely this indeterminacy that makes it even more important to deploy available protection resources in a targeted manner. This requires that the situation has been analyzed with the help of a structured process – i.e., using Structured Analytic Techniques. In this way, protective measures can be designed and deployed in a way that saves resources.

So thanks to week two and the patient professionals at DGC, I was able to complete my mission successfully after all. I had created a training concept that transferred the most important fundamentals from the field of intelligence analysis to the field of cyber security in particular. In the meantime, a fully developed 3-day course has emerged from this.

I will return to Flensburg in two weeks and test this training with the professionals of the DGC. It will certainly be an exciting three days for all involved. And I am especially looking forward to meeting the people there again.