Striking a Balance in the Gray Zone

Striking a Balance in the Gray Zone

By Donna Gallaher, CISSP, C|CISO

In October 2016, the Center for Cyber & Homeland Security at George Washington University published a whitepaper titled “Into the Gray Zone–The Private Sector and Active Defense Against Cyber Threats.” The report defines the term “active defense” for cyber threats, provides definitions for a series of increasingly risky tactics in defending against cyber attacks, and provides a framework and action items needed from both public sector and private sector stakeholders in combatting the problem.

This article expands on the discussion by highlighting some key points within the whitepaper, poses several use cases to help when deciding the appropriate solution for an individual company, and provides a recommendation to move the conversation forward. While experts debate strategy on how to divide up a governance model, fundamental questions about how to operationalize the go-forward plan remain unanswered. Perhaps defining a critical role in the process, a licensed Digital Forensic Investigator, will help move the discussion forward.

Information Sharing Options

Although CISOs are encouraged to report security breaches and share information with our government partners to assist in the cyber defense of the nation, the fear of additional audits and possible regulatory fines from federal authorities deter the CISO from complete transparency. Assuming a company chooses to proactively share information with law enforcement agencies, there is no guarantee of timely response or actionable intelligence feedback from authorities.

To avoid drawing unnecessary attention from regulators, CISOs and the companies they serve may choose to share limited information with industry ISACs (Information Sharing and Analysis Centers) rather than directly with government and law enforcement agencies. However, multiple ISACs exist for each industry and region, and the usefulness of the intelligence shared is only as good as the information provided by the participating companies.

Much the way an attorney-client relationship is considered “privileged” by the law, an independent agent who assists with information sharing also serves to provide some anonymity for companies while providing much needed intelligence into adversarial behaviors. Information gathering by private investigators is commonly used throughout our legal system, so the suggestion of a third party such as a Digital Forensic Investigator (DFI) assisting in active defense is not without precedent.

Active Defense and “The Gray Zone” Definitions

The authors of the “Into the Gray Zone” whitepaper define active defense as:

...a term that captures a spectrum of proactive cybersecurity measures that fall between traditional passive defense and offense. These activities fall into two general categories, the first covering technical interactions between a defender and an attacker. The second category of active defense includes those operations that enable defenders to collect intelligence on threat actors and indicators on the Internet, as well as other policy tools (e.g. sanctions, indictments, trade remedies) that can modify the behavior of malicious actors. The term active defense is not synonymous with “hacking back” and the two should not be used interchangeably…

The “Into the Gray Zone” report provides a continuum of specific active defense measures ranging from low risk to high risk as follows:

Source: Into the Gray Zone–The Private Sector and Active Defense Against Cyber Threats (page 10)

Complete definitions of these active defense techniques can be found in the full report, but the formula for determining prerequisites to attempt the various levels of active defense measures remains elusive.

Academic definitions of active defense techniques may standardize language, but determining who should be authorized to perform these maneuvers still needs to be determined. To conduct surveillance, most jurisdictions require some type of Private Investigator (PI) license which may or may not include reciprocity agreements with surrounding jurisdictions. “Gray Zone” active defense tactics mentioned in the CCHS report may require a PI to perform. However, many states have not updated their PI licensing requirements for digital investigations and there are unique training, legal, and ethical differences that may not be covered in standard PI training materials.

Although there are commonalities among jurisdictions (such as the general recognition that some form of licensing is required along with agreed upon best practices for handling digital evidence), training and license requirements for both PIs and DFIs vary by state. As if CISOs did not already have their hands full with a myriad of regulatory compliance issues governing data and privacy breaches, managing PI licensing requirements for their active defense teams across multiple jurisdictions exacerbates an already daunting challenge. Standard licensing requirements for Digital Forensic Investigations appear to be in order.

Challenges in International Cases

Assuming a company chooses to pursue digital forensic investigation licensing for active defense teams, there are still challenges with several active defense tactics when international laws and treaties are factored into the equation. Some companies may elect to utilize third party support for active defense to transfer some risk from these scenarios, but additional attention must be paid to third party oversight. Companies will be held accountable for actions taken by their contractors and partners.

Suppose Digital Forensic Investigation Licenses are extended to foreign nationals or non-citizens on either your own active defense team or one of your contractors. What immunity should be extended to these employees for visas, green cards, or other privileges when dealing with international attacks? In the case of a nation state attack, could a licensed digital forensic investigator create an international incident while executing an active defense technique?

Additionally, what if the attacker is an EU citizen operating on a shared computer? In the case of a hacker using a parent’s home computer, should a US company be allowed to conduct discovery on that computer? Privacy regulations including the EU’s “Right to be Forgotten” are constantly changing. Is the IP address of an EU home computer considered PII? Do the EU privacy regulations subject an individual company to penalties under the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) which could be up to 4% of the company’s annual worldwide revenue?

Untangling the Issues

There is no shortage of problem definition when describing active defense challenges. Figuring out where to start is the challenge. Standardization of Digital Forensic Investigation Licenses is needed before approaching a discussion on private sector active defense.

Once the DFI licensing becomes standardized among the 50 states, the problem of defining authorization levels becomes much easier. A tactic commonly referred to as “Shifting Left” is common among CIOs and IT operations directors. During an incident escalation, triage instructions provided by higher level support teams are executed by lower level support teams. These instructions are exhausted before the incident is escalated to the next successive level. The concept of “shifting left” refers to the tuning of triage or other instructions to lower level support teams as processes are improved over time.

If we apply this model to Digital Forensic Investigations, federal law enforcement authorities would be the highest level support and would define which activities are allowed by the lower levels and retain all authority until explicitly granted to DFILs with authority to log a case with the investigative agency.

For example, law enforcement authorities may allow the DFIL to install tarpits, collect IP addresses, and plant beacons within high value data elements. At a defined point, the DFIL will turn over the collected data to the appropriate law enforcement agency. In defining these triage instructions, the law enforcement authorities effectively “shift left” some active defense activities to licensed individuals within private companies. The use of a common ticketing system of digital forensic investigation cases would provide the trending and threat intelligence desired by the government and law enforcement partners.


Implementing an active defense strategy in a private company presents risks that have not been fully explored, but today’s CISO is not satisfied with the status quo. Private companies are under constant attack and our government and law enforcement partners struggle to keep up with the demand for proactive digital forensic investigations. The first step in resolving this problem will be defining a common licensing requirement for Digital Forensic Investigations Licenses (DFIL) followed by a set of high level instructions which authorized individuals may perform to assist law enforcement agencies in active defense measures. To ensure quality of service, SLAs should be defined for digital forensic investigation cases and appropriate reporting shall be provided back to ISACs and companies. Over time, additional triage and data collection instructions may be provided to companies to reduce the workload on federal law enforcement partners.

What do you think? Contact the NTSC at info@ntsc.org and reply to this article to let your voice be heard.