Thomas Kress is one of the most distinguished IT security experts in the German-speaking world and CEO of Deutsche CyberKom. After more than 25 years in leadership roles in international IT projects, he founded his own company, which today strategically unites IT security and telecommunications under the umbrella of Deutsche CyberKom. As a sought-after specialist author, he publishes in leading IT and business publications. As a consultant, he advises leading companies and system houses on security issues, infrastructure, and digital sovereignty. As part of our interview series "Hard Questions", Kress answered questions from LabNews Media.
Germany is significantly lagging behind in cyber defense; there are no comparable institutions like the NSA or GCHQ. What needs to change?
While Germany has taken important steps in cybersecurity in recent years – for example, through the Federal Office for Information Security (BSI), the National Cyber Defense Center, and close involvement with the European agency ENISA. However, in international comparison, it lacks impact, clear structures, and sufficient authority.
The core problem lies in fragmented responsibility: While central players like the NSA or GCHQ bear clear responsibility in other countries, cyber defense in Germany is distributed among several authorities, ministries, and federal levels. This leads to friction losses and hinders a quick, coordinated response.
To operate at eye level internationally, we need:
- A central, clearly mandated institution that bundles cyber defense and is operationally capable.
- Stronger investments in technology and training to retain expertise in the country.
- A binding integration of government, business, and science so that information can be shared more quickly and attacks can be repelled more efficiently.
Only in this way can the gap between European coordination, national strategy, and actual implementation be closed.
Especially with APT attacks, the damage may already be done for many companies. How can these zero-day attacks even be detected retrospectively?
With zero-day attacks – that is, the exploitation of previously unknown security vulnerabilities – initial defense is naturally difficult. In fact, many companies only realize very late that they have already been compromised. Nevertheless, there are ways to detect attacks retrospectively:
- Anomaly detection and AI-powered analysis: Classic signature-based systems do not detect zero-days. Modern solutions therefore rely on behavior-based approaches and AI to identify atypical patterns in networks, end devices, or user activities.
- Threat Hunting: Proactively hunting for traces of attackers in the corporate network. Specialized teams analyze log data, processes, and memory areas for suspicious artifacts.
- Forensic Analysis and Retrospective: By storing and analyzing historical data, attacks can be traced back weeks or months – often via Indicators of Compromise (IoCs) later published by CERTs or security vendors.
- Zero Trust & Segmentation: Even if an attack occurs, strict access control and network segmentation prevent attackers from spreading laterally unnoticed.
Ultimately, it's about minimizing attacker dwell time: the faster a company detects anomalies and reacts, the lower the damage. Complete security doesn't exist, but with a mix of technology, processes, and expertise, even zero-day attacks can be made visible and contained retrospectively.
The USA rely on offensive cyber defense. Why doesn't that work in Germany?
With the NSA and Cyber Command, the USA pursues a strongly offensive approach – they not only carry out defensive measures but also actively attack enemy infrastructures to eliminate threats early on. This doesn't work in Germany for several reasons:
- Legal Framework: The Bundeswehr is only allowed to operate in cyberspace in the event of defense and under strict conditions. Furthermore, in Germany, there is a strict separation between internal and external security – what police, intelligence agencies, and the military are allowed to do is clearly delineated. Offensive cyber operations would quickly hit legal limits here.
- Political and Societal Culture: Germany traditionally relies on defense, the rule of law, and international cooperation. Offensive cyber strikes carry the risk of escalation and are at the intersection of international law and the Basic Law – this makes political enforceability extremely difficult.
- Lack of Central Structures: While the USA has created a powerful, centralized organization with Cyber Command, German cyber defense is distributed across various authorities. Offensive capabilities would be even more difficult to consolidate here.
However, this does not mean that Germany remains inactive – the focus is on resilient defense, early detection, and international cooperation. While offensive capabilities are being discussed, as long as legal and political issues remain unresolved, Germany, unlike the USA, will continue to rely on a more defensive approach.
A problem for every medium-sized business are fileless attacks. Training not to open documents helps little. What should be done?
Fileless attacks are particularly insidious because they don't require classic malware but abuse legitimate tools like PowerShell, WMI, or macros. Classic protection strategies like "don't open suspicious files" fall short here.
What companies should do:
- Endpoint Detection & Response (EDR/XDR): Modern security solutions that not only check files but also monitor processes and memory. They detect when, for example, PowerShell is used in an unusual way.
- Behavioral Analysis: Since there are no malware signatures, suspicious behavior on the network or endpoints must be detected – e.g., unusual memory accesses or suspicious process chains.
- System Hardening: PowerShell, macros, and other scripting languages should be limited to what is necessary or controlled through application whitelisting. "Default deny" is more effective here than reactive detection.
- Zero Trust Architecture: Minimal privileges, strong segmentation, and strict authentication make it difficult for attackers to spread after an initial infection.
- Proactive Threat Hunting: Especially with fileless attacks, it is crucial that security teams actively search for suspicious activities – not just wait for alerts.
In short: Awareness alone is not enough. Fileless attacks can only be effectively contained by a combination of modern detection technology, strict authorization concepts, and continuous monitoring.
Our last question: what role does AI play in cyber defense?
Artificial intelligence plays an increasingly important role in cyber defense because classic methods – signature matching or static rules – are reaching their limits with modern attacks. Attacks evolve dynamically, use legitimate tools, and often leave only faint traces.
AI primarily helps in three areas:
- Anomaly and Behavior Analysis: AI systems can analyze huge amounts of data from log files, network traffic, or endpoint activities and recognize patterns that would be almost invisible to humans. This allows even zero-day or fileless attacks to be detected.
- Automation and Speed: Every minute counts in cyber defense. AI helps security teams automate routine tasks such as alert filtering or preliminary analysis, allowing experts to focus on the truly critical cases.
- Adaptive Defense: AI-powered systems continuously learn and adapt their models to new attack methods – a characteristic that is crucial, especially with Advanced Persistent Threats (APTs).
But: AI is not a panacea. Attackers are also increasingly using AI, for example for automated phishing or to disguise malware. Therefore, the following applies: AI is a powerful tool, but it is only as strong as the database, the processes, and the people who use it.
The questions were asked by the LabNews team
