Cyberintelligence Investigator

What does a Cyberintelligence Investigator do?

A Cyberintelligence Investigator works as part of an offensive intelligence-led team that focuses on the collection of Cyberintelligence information within or originating from cyberspace. This information may relate to cyberthreats, known or as yet unidentified, or it could relate to events or activities emanating from or taking place within cyberspace. We commonly investigate cyberstalking, cyberbullying, trolling, cybercrime (including fraud, malware, spam, you name it) and could, if need be, apply our capabilities to investigate cyberterrorism and even cyberwarfare. Like Lego, cyberintelligence information comes in all shapes, sizes and colors. The temptation is usually to start fitting pieces together to form something recognizable. That’s a mistake.

The cyberintelligence investigator’s first role is to identify what it is that we’re building with those legos, and to direct the members of the team to go out and find the correct pieces. I’ll also sift through the collected Lego’s and extract the pieces of significance or that might come in handy (perhaps leads that can be developed or facts that have probative value if they can be proved). The investigator will reconstruct events, identify and make connections between people, systems, events, and coordinate with the relevant authorities or security team to understand the methods of operation, infrastructure, resources, capabilities, weaknesses and intentions of those involved.

Is a Cyberintelligence Investigator a hacker?

Yes and No (and maybe). I’m not employed as a hacker, and don’t generally need to hack anything in the course of my work, but I do have the same type of knowledge and skill-set that a hacker would need, and I occasionally use tools, techniques and tactics that hackers would use. The main difference is that I only use these capabilities for legitimate purposes when there is no alternative and not just if the end justifies the means, but if the means can also be justified.

Put it this way: even if I wasn’t doing this job, I would never be involved in the theft of information, denial or degradation of web services, defacement of webspaces, launching cyberattacks, exploiting vulnerabilities and back-doors, gaining unauthorized access to networks or pwning devices.

So what would I be using these skills for if I wasn’t doing the job of a cyberintelligence investigator? I guess the truthful answer would be I don’t know, but if I was a betting man I’d probably say that I’d be some sort of white-hat hacker (the “goodies”) – testing systems and services for weaknesses and vulnerabilities to that they can be patched and hardened against attack by black-hats (the “baddies”).


Interested in a career in this field? Want to know more about the job, training or career prospects? Get honest answers from a subject-matter expert. Add your questions in the comments section below, and we’ll get them answered for you. There is only one rule: be genuine.
cyberintelligence investigator - leonard mills

Hey there, I’m Leonard Mills, one of five CII’s (cyberintelligence investigators) working at Intertel. If you’d like to know anything about the work of a CII, what skills you need to be a great CII, and what you can expect from a career in this field then please ask away. Take care.

Ok, but are you allowed to hack if you need to?

In exceptional circumstances I may be permitted to hack a device or system, but under strict conditions.  “Permitted” doesn’t mean that I need a letter from my mom or the nod from my boss.  Permitted means getting explicit authorization (from the National Prosecuting Authority) or explicit consent from the the owner of the device, network or system that would be targeted. 

Say our customer was defrauded by an unidentified person and we were required to identify and facilitate the prosecution of that person.  We would have to coordinate and cooperation with police investigators and public prosecutors if we have any hope of a prosecution – let alone a successful one. 

The police may wish to set a trap, deceive or lure the suspect – or they may wish to conduct reconnaissance of the suspect’s network to gather information about their capabilities, weaknesses, etc.  To achieve this I may need to breach a security measure or exploit a vulnerability or backdoor, and in so doing i’d technically be committing a crime. If the Prosecuting Authority feels that this is justified then they can grant me immunity for specific criminal acts in terms of the Criminal Procedure Act – this is done by means of a Section 252 application. 

It doesn’t happen often because we’re usually able to get the required permissions from the relevant owners or we have discovered alternative, non-infringing ways of achieving the same result.

Do you need special qualifications to be a Cyberintelligence Investigator?

Qualifications, no, not really.  Skills, experience and knowledge, definitely. I came from an IT background (mostly self-taught) and was already proficient in scripting languages like Python, Perl, Ruby, PHP, Javascript, VB Script and AHK, and equally at home on Windows, OSX and Linux workstations, Apache, WAMP and ASP.NET servers. 

Without a solid technical base I would never have got the job.  When I was hired I knew very little about what a cyberintelligence investigator does. As I was told in my interview, that was not an issue because what I didn’t know could be learned on the job, whereas what I could already do (and what I already knew) about programming, systems, architectures and computing would take years (and did take years) to master.

Intertel have sent me to at least a dozen full-time courses in various aspects of my work including cyberintelligence gathering, data mining, web scraping, ethical hacking, information security, social engineering, network security, social media intelligence, deception, negotiation and legal fundamentals. 

I have also completed a formal qualification in Cyber Counterintelligence Threat Analysis, attended countless workshops and seminars, and have received a board certification and credentials.  So there.

What are your working hours like?

We work in shifts and our shifts alternate every 3 months. Two cyberintelligence investigators work from 8am to 4pm and another two from 4pm to midnight. One CII will be working from midnight until 8am. Each shift has its advantages and disadvantages, and even those can change with the wind. For example the last time I worked the graveyard shift, I had about an hour of work to do each day. I used the time to update our tools, to research new methods and techniques, and to attend to some admin for my fellow CIIs.

Still, I felt a little guilty because at the time the day shift and late shift CII’s were snowed under with so much work that had to be completed before my shift began. Since then, the graveyard shift has become busy, and the day shift guys have been coming in early to help.

When you love what you do, you don’t look at the clock counting down the minutes until tshaila time. If we were allowed to, i’m sure most of us would sleep at work just to be able to squeeze some extra time out of our day.

Now is the right time for anyone with an interest in cyberinvestigations to get into the business. We’re getting busier and busier and are already looking to employ another 3 cyberintelligence investigators in the next 3 months. The pay is great and so are the benefits, but best of all is the job satisfaction and the comeraderie and teamspirit that permeates our office.

What is the best part of your job?

There are very few things in our line of work that I enjoy quite as much as hunting down online predators.   Catching stalkers, fraudsters, trolls, bullies, scammers and harassers is fun too, but just not as satisfying as turning a predator into the pray.  Hunting the hunter.   They scatter like cockroaches at the first sign of trouble but like cockroaches they can’t help but come out again to feed.  I love toying with their minds. There’s something energizing about the work. 

I really do get a kick out of shaking the foundations of a predator’s fantasy with all my might and for as long as it takes for reality to come crashing down all around them.  That is usually the point at which the police are kicking in the door. 

If I had my own way i’d expose them publicly so that their family, friends, neighbours and coworkers will know what monsters they are, but even perverted pedophiles have rights, and are to be presumed innocent until found guilty by a Court of Law. Its difficult not to get emotionally involved – especially when you have solid evidence to support your view.

I often have to remind myself that I’m just a cyberintelligence investigator – not the judge, jury and executioner. I put forward a version of the truth that is supported by the facts which we have uncovered and proven – and I leave it to the wisdom of others to do the right thing.

Related Posts

About The Author

Add Comment

LiveZilla Live Chat Software